1. Implementing PKI

PKI enables confidentiality, integrity, authenticity and non-repudation of data exchanges, by:

• encrypting/decrypting data
• signing messages
• verification of signatures
• verification of certificate validity

Implementing PKI

© 2002 Editions Eyrolles, ISBN 2-212-11045-6

Implementing PKI

• on the network level (e.g. IPSec)
• on the transport level (e.g. SSL/TLS)
• on the the application level (e.g. S/MIME or XML-Dsig)

Implementing PKI

© 2002 Editions Eyrolles, ISBN 2-212-11045-6

1.1. IPSec - securing the network

• designed for IPv4 and IPv6
• and offers:
  • access control,
  • integrity,
  • data origin authentication,
  • detection and rejection of replays,
  • confidentiality.

IPSec (securing the network level)

IPsec security services are provided through:

• 2 traffic protocols:
  • AH (Authentication Header)
  • ESP (Encapsulating Security Payload)
• 2 management constructs to enforce boundary security:
  • SA (Security Association)
  • SPD (Security Policy Database)
• 2 key management procedures:
  • "manual" mode
  • IKE (Internet Key Exchange) mode

1.2. SSL/TLS - securing the web

The protocol is composed of two layers:

• The TLS Record Protocol
  • The connection is private.
  • The connection is reliable.
• The TLS Handshake Protocol.
  • The peer's identity can be authenticated using asymmetric, or public key, cryptography (e.g. RSA).
  • The negotiation of a shared secret is secure.
  • The negotiation is reliable.

SSL/TLS - securing the web

An SSL client-server session is established via the following mechanisms:

1. The client sends session establishment data like encryption parameters, SSL version, etc. as well as a random generate code.
2. The server responds with the same type of data as well his public key certificate. Optionally it can ask for a client certificate.
3. The client identifies the server via its certificate.
4. The client then sends a "pre" secret key encrypted with the server's public key. If client auth is used, we add a signed data bloc as well as the client's certificate.
5. The server validates the client certificate if needed, then decrypts the "pre" secret key.
6. Client and server realise a series of operations to agree on the final secret key.
7. The session is then completely established.

1.3. S/MIME - securing e-mail

The S/MIME protocol (Secure Multi-purpose Internet Mail Extension), enables digital signatures and encryption of MIME formated messages (e.g. e-mail). Similar to SSL, S/MIME uses a hybrid crypto system. The message is encrypted with a symmetric session key, that itself is secured by using the destination's public key. With multiple recipients the session key has to be encrypted several times using the different public keys.

• RFC3852 Cryptographic Message Syntax (CMS)
• RFC3851 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification
• RFC3850 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling
• RFC2631 Diffie-Hellman Key Agreement Method

1.4. XML-Dsig - securing (XML) documents

To enable secure B-to-B transactions or document exchanges over the Internet, the W3C and IETF started the XML-Signature project, defining non-repudiation mechanisms for signing XML (eXtensible Markup Language) documents.

The following example is a detached signature of the content of the HTML4 in XML specification:

  <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> 
    <SignedInfo> 
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> 
        <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 
          <Transforms> 
            <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
          </Transforms> 
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
          <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> 
        </Reference> 
      </SignedInfo> 
      <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> 
      <KeyInfo> 
        <KeyValue>
          <DSAKeyValue> 
            <P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
          </DSAKeyValue> 
        </KeyValue> 
      </KeyInfo> 
  </Signature>

1.5. Securing your own applications

Beyond using SSL/TLS, S/MINE or XML-Dsig, securing your own applications using PKI means integration. This can be done via 3 approaches:

• "clé en mains" solution
• passive integration
  • integrating a "plug-in" or middleware
  • adding a relay server ("reverse-proxy") between client and server
• active integration
  • application oriented
  • low level
  • so called "PKI" API

2. Authentication

Authentication

(from Greek authentikos: real or genuine; from authentes: author)

• The three most commonly recognized factors are:
  • 'something you know' (password, PIN, ...),
  • 'something you have' (credit card, hardware token, ...),
  • 'something you are' (fingerprint, retinal pattern or other biometric).

• Other, less common factors may include:
  • Recognition-based or cognometric authentication
  • Cybermetric authentication
  • Location-based authentication
  • Time-based authentication
  • Size-based authorization
  • Pre-authorized transactions

Using more than one factor is called strong authentication.

2.1. Authentication in PKI

© 1999 Department of Computer Science and Information Systems, The University of Hong Kong

2.2. Schneier on Security - The Failure of Two-Factor Authentication

  March 15, 2005
  
  Two-factor authentication isn't our saviour. It won't defend against phishing. 
  It's not going to prevent identity theft. It's not going to secure on-line 
  accounts from fraudulent transactions. It solves the security problems we had 
  ten years ago, not the security problems we have today.
  
  The problem with passwords is that they're too easy to lose control of. People 
  give them to other people. People write them down, and other people read them. 
  People send them in e-mail, and that e-mail is intercepted. People use them to 
  log into remote servers, and their communications are eavesdropped on. They're 
  also easy to guess. And once any of that happens, the password no longer works 
  as an authentication token because you can't be sure who is typing that password 
  in.
  
  Two-factor authentication mitigates this problem. If your password includes a 
  number that changes every minute, or a unique reply to a random challenge, then 
  it's harder for someone else to intercept. You can't write down the ever-changing 
  part. An intercepted password won't be good the next time it's needed. And a 
  two-factor password is harder to guess. Sure, someone can always give his password 
  and token to his secretary, but no solution is foolproof.
  
  These tokens have been around for at least two decades, but it's only recently 
  that they have gotten mass-market attention. AOL is rolling them out. Some banks 
  are issuing them to customers, and even more are talking about doing it. It seems 
  that corporations are finally waking up to the fact that passwords don't provide 
  adequate security, and are hoping that two-factor authentication will fix their 
  problems.
  
  Unfortunately, the nature of attacks has changed over those two decades. Back 
  then, the threats were all passive: eavesdropping and off-line password guessing. 
  Today, the threats are more active: phishing and Trojan horses.
  
  Here are two new active attacks we're starting to see:
  
    * Man-in-the-Middle attack. An attacker puts up a fake bank website and 
  entices user to that website. User types in his password, and the attacker in 
  turn uses it to access the bank's real website. Done right, the user will never 
  realize that he isn't at the bank's website. Then the attacker either disconnects 
  the user and makes any fraudulent transactions he wants, or passes along the 
  user's banking transactions while making his own transactions at the same time.
  
    * Trojan attack. Attacker gets Trojan installed on user's computer. When user 
  logs into his bank's website, the attacker piggybacks on that session via the 
  Trojan to make any fraudulent transaction he wants.
  
  See how two-factor authentication doesn't solve anything? In the first case, the 
  attacker can pass the ever-changing part of the password to the bank along with 
  the never-changing part. And in the second case, the attacker is relying on the 
  user to log in.
  
  The real threat is fraud due to impersonation, and the tactics of impersonation 
  will change in response to the defences. Two-factor authentication will force 
  criminals to modify their tactics, that's all.
  
  Recently I've seen examples of two-factor authentication using two different 
  communications paths: call it "two-channel authentication." One bank sends a 
  challenge to the user's cell phone via SMS and expects a reply via SMS. If you 
  assume that all your customers have cell phones, then this results in a two-factor 
  authentication process without extra hardware. And even better, the second 
  authentication piece goes over a different communications channel than the first; 
  eavesdropping is much, much harder.
  
  But in this new world of active attacks, no one cares. An attacker using a 
  man-in-the-middle attack is happy to have the user deal with the SMS portion of 
  the log-in, since he can't do it himself. And a Trojan attacker doesn't care, 
  because he's relying on the user to log in anyway.
  
  Two-factor authentication is not useless. It works for local login, and it works 
  within some corporate networks. But it won't work for remote authentication over 
  the Internet. I predict that banks and other financial institutions will spend 
  millions outfitting their users with two-factor authentication tokens. Early 
  adopters of this technology may very well experience a significant drop in fraud 
  for a while as attackers move to easier targets, but in the end there will be a 
  negligible drop in the amount of fraud and identity theft.

© 2005 Bruce Schneier

2.3. Beyond authentication

The 4-As:

• Authentication
• Authorization
• Accounting
• Audit

3. Single Sign On - The PKI killer application ?

A specialized form of authentication that enables a user to authenticate once and gain access to the multiple resources.

Legacy Approach to User Sign-on to Multiple Systems - © 1995-2005 The OpenGroup

Single Sign On

Single User Sign-On To Multiple Services - © 1995-2005 The OpenGroup

3.1. Benefits

• reduction in the time taken by users in sign-on operations to individual domains, including reducing the possibility of such sign-on operations failing
• improved security through the reduced need for a user to handle and remember multiple sets of authentication information,
• reduction in the time taken, and improved response, by system administrators in adding and removing users to the system or modifying their access rights,
• improved security through the enhanced ability of system administrators to maintain the integrity of user account configuration including the ability to inhibit or remove an individual user's access to all system resources in a co-ordinated and consistent manner.

3.2. Methods

• directly, the information supplied by the user is passed to a secondary domain as part of a secondary sign-on,
• indirectly, the information supplied by the user is used to retrieve other user identification and user credential information stored within the single sign-on management information base. The retrieved information is then used as the basis for a secondary domain sign-on operation,
• immediately, to establish a session with a secondary domain as part of the initial session establishment. This implies that application clients are automatically invoked and communications established at the time of the primary sign-on operation,
• temporarily stored or cached and used at the time a request for the secondary domain services is made by the end-user.

• the secondary domains have to trust the primary domain to:
  • correctly assert the identity and authentication credentials of the end user,
  • protect the authentication credentials used to verify the end user identity to the secondary domain from unauthorised use,
• the authentication credentials have to be protected when transferred between the primary and secondary domains against threats arising from interception or eavesdropping leading to possible masquerade attacks.

3.3. Kerberos

• Kerberos is a computer network authentication protocol
• Version 5 is now (2005) available as RFC 4120.
• Kerberos builds on symmetric key cryptography and requires a trusted third party.
  • Key Distribution Center (KDC)
    • Authentication Server (AS)
    • Ticket Granting Server (TGS)

• Service Server (SS)

3.3.1. Kerberos - operation

3.3.2. MS kerberos usage

© 2003 Microsoft

3.4. Other SSO implementation examples

• Windows Live ID (ex .NET Passport)
• Liberty Alliance
• Google

3.4.1. Windows Live ID

© 2006 Microsoft

3.4.2. WS-Trust

© 2005 OASIS

3.4.3. Liberty Alliance

Liberty Alliance

3.4.4. Google

© 2007 Google

4. Identity management

The Laws of Identity

1. User Control and Consent
2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts

© Kim Cameron