The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

Slides:



Advertisements
Similar presentations
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
MyProxy: A Multi-Purpose Grid Authentication Service
Inter-Institutional Registration UNC Cause December 4, 2007.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
By: Ansuya Chauhan.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
WebFTS as a first WLCG/HEP FIM pilot
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Public Key Infrastructure from the Most Trusted Name in e-Security.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.
NAMS Account Activation Training. 2 What is NAMS? The NASA Account Management System is NASA’s centralized process for requesting and maintaining accounts.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Integrating with UCSF’s Shibboleth system
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Module 11: Securing a Microsoft ASP.NET Web Application.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Wireless Authentication Using Remote Passwords Authors: Andrew Harding, Timothy W. van der Horst, and Kent E. Seamons Source: Proceedings of the first.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September
Secure Mobile Development with NetIQ Access Manager
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
Using Your Own Authentication System with ArcGIS Online
Federation made simple
Simple Authentication for the Web
Data and Applications Security Developments and Directions
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Office 365 Identity Management
Single Sign On Glen Dorton 1/18/2019.
Mary Montoya, CIO Bogi Malecki, Project Manager
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham

The Login Explosion Problem Everyone uses a variety of web services – , social networking sites, blogging sites, online collaboration tools, etc. But each site has a unique way for us to login 1 Wouldn’t it be great to have just one set of credentials?

Solution: OpenID 2 For example:

What is OpenID? OpenID is an authentication protocol – It provides a way for a user to prove their identity OpenID’s primary design considerations: – Simplify your online experience Eliminates the need for multiple user names and passwords Single Sign-On: Authenticate once, log-in many times – Decentralized No central authorities, users are free to choose their identity providers – Third-party websites never see authentication credentials Your user names and passwords are safer – Built on existing web technologies Leverages the ubiquity of HTTP(S), URI, XML, SSL, Diffie-Hellman No specialized technologies are necessary 3

How Does OpenID Work? 4 Website (relying party or RP) End User 3. Perform URL discovery Identity Provider (IdP) 4. Return IdP endpoint 5. Request login 7. User logs in 8. Return auth. result RP IdP User 1. RP asks the user to login Relying party provides an interface to request user’s OpenID URI 2. User submits OpenID URL 6. Redirect user to IdP 9. Grant user access?

OpenID IdP Discovery Which identity provider is responsible for authenticating this user? 5 HTTP HEAD: 200 OK Date: Tue, 11 Aug :55:47 GMT Server: Apache/ (Fedora) DAV/2 mod_ssl/ Content-Type: text/plain … Client-Date: Tue, 11 Aug :55:47 GMT Client-Peer: :443 Client-Response-Num: 1 X-XRDS-Location: opEndpoint= Retrieve HTTP response headers Identity provider endpoint URL is discovered

OpenID User Authentication Redirect user to the discovered IdP endpoint IdP authenticates the user 6 User should manually verify IdP URL when authenticating with a password (to mitigate phishing attacks) The referring site is displayed The user provides their authentication credentials to the IdP

OpenID User Authentication (2) User approves the authentication request Authentication result is shared with the relying party 7 The user explicitly authorizes the release of the authentication result

OpenID and User Information Beyond authentication, OpenID provides a structured way of sharing information about you Simple Registration Protocol – Lightweight profile exchange Full name, nickname, , date of birth, gender, postcode, country, language, and time zone Attribute Exchange Protocol – More flexible information exchange – Allows RP to request any information about users 8

Our Project: Develop OpenID Infrastructure for ESnet Three main deliverables for our project: 1.OpenID identity provider 2.OpenID-enabled certificate authority 3.OpenID-enabled collaboration tool (TWiki) 9

ESnet OpenID Provider 10 Two authentication methods: username/passwords, client certificates Persistent Account Storage: - LDAP to store authentication credentials - MySQL database to store user attributes Automatic Registration: Automatic enrollment for token holders; All “international grid trust federation” certs. trusted Registration Validation: Send confirmation to verify the account creation (for password-based accounts)

Demo: OpenID Identity Provider 11

OpenID-Enabled Certificate Authority Goal: Enable users to request short-term certificates using their OpenID automatically 12 A relying party User enters their OpenIDOr logs-in directly with their IdP IdP whitelisting

Demo: Certificate Request with OpenID 13

OpenID Collaboration Site Goal: Use OpenID to login to an ESnet TWiki TWiki is an example of another OpenID relying party Obtains user information from the attribute exchange 14 OpenID authentication

Demo: OpenID for Collaboration: Twiki 15

OpenID Summary OpenID offers the following benefits: Single sign-on simplifies the online experience Third-parties don’t know our passwords Trust is decentralized Easy to deploy, built on proven web technologies 16 But, OpenID is not a perfect solution…

Open Problems with OpenID: Phishing What is phishing? Particularly dangerous because OpenID credentials may grant access to a large number of accounts Design effective UIs and educate users about risks – Users should verify URLs and SSL certificates before releasing their passwords Certificate-based authentication largely solves this 17 An attempt to steal usernames/passwords by impersonating a legitimate (high value) website Example:

Open Problems with OpenID: Hard to Leave the Web Browser Can we use OpenID with non-web applications? – GridFTP, SSH, other legacy applications outside the browser Simple answer: Not really – OpenID relies on browser interactions between the user and their IdP – Single sign-on functionality needs browser session state More complicated answer: Maybe – Mimic the browser functionality within the legacy app – Requires the legacy app to be modified (it’s now an RP) 18

Open Problems with OpenID: User’s Privacy May Be at Risk OpenID exposes user information in two ways – Problem: Attribute exchange releases user’s name, e- mail, etc. to relying parties Solution: Give user’s ability to control what information is released about them – Problem: OpenID identifiers are persistent and global identifiers  Behavior can be linked over time Solution: Give users dynamic identifiers, a different identity each time they login to an RP 19

One-time Use Identifiers Mitigates Tracking 20 Login to RP with the IdP endpoint, not OpenID This allows the user to login directly with their IdP Authenticate with the IdP as normal and ask for one- time use identifier IdP returns a randomly generated and authenticated OpenID to the RP Login again and get a new random ID

Demo: One-time Use Identifiers 21

OpenID/Shibboleth Comparison 22 Both protocols offer – Cross-domain authN – Attribute exchange – Single sign-on Key Differences – Trust model OpenID assumes a completely open trust model Shibboleth is federated; trust only a limited set of IdPs – Freedom to choose your IdP OpenID allows users to chose any IdP Shibboleth requires that authentication be handled by your “home institution” (LBNL, ESnet, UC-Berkeley, etc.)

Future Work Currently finishing a blog site to provide up-to- date information about our OpenID service Explore OpenID + OAuth as a way to enable non-web OpenID authentication Explore how Shibboleth and OpenID can interoperate Continue to improve the OpenID provider’s UI 23

Summary and Conclusion We developed OpenID infrastructure that includes: – An ESnet-operated OpenID identity provider – An automated short-term certificate issuing service that consumes OpenID – A TWiki-based collaboration site that consumes OpenID Thank you to Dhiva, Mike, and ESnet staff 24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.