Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.

Slides:

Advertisements

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Advertisements

Tax Professional (CA) - Registration and Services.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Module: 301 Set Up Issuer Accounts on NMHIX. It is recommended that all issuers using NMHIX should take this course.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard support in simpleSAMLphp Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

An Introduction to Information Card Barry Dorrans Charteris plc

CSCI 6962: Server-side Design and Programming

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Phishing Rising to the challenge Amy Marasco Microsoft.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

OSIA Portal 2009 Mid-Term Presentation Nazim Öztahtaci Jiawei Chen Parvinder Gill Ye Tian Xin Guo Communication System Design 2009 Fall Mid-Term Workshop.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.

Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Workshop roaming services: eduroam / govroam

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

3GPP GBA Overview Adrian Escott.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.

December 14, 2000Securely Available Credentails (SACRED) - Framework Draft 1 Securely Available Credentials (SACRED) Protocol Framework, Draft Specification.

KERBEROS SYSTEM Kumar Madugula.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

Secure Mobile Development with NetIQ Access Manager

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

CAS Proxying and Web Services The somewhat “easy way” Presented By: Joseph Mitola Programmer/Analyst Office Of The Registrar.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Redmond Protocols Plugfest 2016 The role of the Message Analyzer parsers and network captures Windows Protocols Overview Documents Althea Champagnie, Senior.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Applying eduGAIN to network operations The perfSONAR case

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

The DAMe’s First Steps: eduroam and NAS-SAML

Sharing Acclaim Badges

Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.

Electronic Payment Security Technologies

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University of Alcala (Spain), RedIRIS (Spain) TNC2009, Málaga (Spain), June 9 th 2009

connect communicate collaborate Eduroam and SSO Eduroam provides us with wireless connectivity in educational institutions all along Europe and APAN area Just needing your home institution credentials, open your laptop and you are online One question has been posed by previous work (DAMe project): What if we (re)use those credentials to provide other services than wireless access The goal would be to achieve real SSO: just open you laptop and enjoy any service (any of the service you are allowed to employ, of course) Bring together two (con)federations efforts: – Eduroam – Edugain Add other logos here if needed

connect communicate collaborate Why? What? Where? Once user gets into eduroam, we have that user authenticated As long as she remains in eduroam, we know who she is. First Idea: We could employ that info to avoid further user logins Problem: Eduroam is L2/L3, most of the services we want to work are in upper layers Let’s provide the user with some credentials on sucessful eduroam access Second idea: Let Information Cards be that credential

connect communicate collaborate Information Cards Artifact with an unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider. An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims Token agnostic: OpenID SAML1.1 Claims-based application Build upon WS-* protocols

connect communicate collaborate Information Cards meet eduroam Well, that seems cool, but What does this have to do with eduroam? Proposal: Join both worlds Associate an Information Card with an eduroam session Use case: User opens his laptop Connects to eduroam On sucessful eduroam connection, she receives an Information Card (from now on, “eduroam Information Card”) User can browse services and access them employing eduroam Information Card As soon as she leaves eduroam, the Information Card is no longer valid

connect communicate collaborate Eduroam That sounds great, just login to eduroam and you are done! Some caveats: Infocard is not a real SSO technology, each time you want to use the Information Card, you need to authenticate against the STS To get rid of passwords, we could use etiher X.509 certificates or a self- issued Information Card We decided to use self-issued information cards This way, there is no need for any password further than the one used to access eduroam

connect communicate collaborate Proposal We need to add additional info to RADIUS dialogue: We decided to use PEAP (PEAPv0/EAP-MSCHAPv2): User needs to send the cardID of the self-issued card, she wants to employ to back the eduroam Infocard RADIUS response must include the eduroam Information Card – Newly defined EAP-TLV: (the SMH TLV) – Request: it will contain selfissued card id – On sucessful login, it will contain a one-time time-limited URL where the eduroam Information Card can be downloaded

connect communicate collaborate Proposal (II) SMH EAP-TLV: – SMH : Samuel Muñoz Hidalgo (developer) – Request: it will contain selfissued card id – On sucessful login, it will contain a one-time time-limited URL to download the Information Card

connect communicate collaborate Proposal (III) User Authentication Infocard Generation User Authenticated Infocard Retrieval Access to federated services Success with InfoCard Radius Server SimpleSAMLphp

connect communicate collaborate Prototype There’s Magic everywhere! Some supplicant-identity selector integration is required Supplicant must be able to retrieve information about which self- issued card, the user wants to employ Identity selector must import the card after successful login FreeRADIUS is employed as RADIUS server: A perl module is in charge of most of the work Minor modifications to existing freeRADIUS Code Module for simpleSAMLphp: STS functionality Card generation RADIUS server dialogue

connect communicate collaborate Demo

connect communicate collaborate Protocol Flow Step 1: User decides to join eduroam Supplicant-selector integration – User chooses a self-issued card Not only user credentials are sent, but also the additional infocard information is sent as an EAP-TLV. Step 2: RADIUS Server verifies user credentials (user/password) as usual Step 3: Once user credential get verified, RADIUS server contacts STS to get an eduroam infocard TLS connection Inside the TLS connection, an Infocard request containing the self-issued card ID, user name and a timestamp is sent ciphered using AES based on a pre-shared key STS sends back an one-time URL

connect communicate collaborate Protocol Flow Step 4: RADIUS Server sends to the client an EAP-TLV containing the one- time URL with the success PEAP message. Step 5: Supplicant recieves the message, and downloads the eduroam Infocard. Eduroam Infocard gets imported into the selector. Step 6: User accesses a service employing the eduroam Infocard As soon as user leaves eduroam, the STS will no longer be issuing tokens.

connect communicate collaborate Acknowledgments Samuel Muñoz Hidalgo The work has been supported by the Spanish Ministry of Education and Science grant TIN C04-04 and RedIRIS

connect communicate collaborate Future work Open1x Moving to Radiator Handling accounting Info