Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,

Published byJemimah Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,"— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN, GSEC, GWAPT, GWEB, GCFE, GAWN, GCPM @richgraves

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Web single sign-on with Shibboleth Phishing and stolen credential defense Documented, repeatable process Guided by some theoretical framework Give back to the.edu community

3 SANS Technology Institute - Candidate for Master of Science Degree 3 Strong password policy, but…

4 SANS Technology Institute - Candidate for Master of Science Degree 4 “Policy” Background Since 2011, attempt to establish norm that remote access to sensitive data requires two-factor authentication OpenVPN: certificate + password SSH: Duo (or RSA key) (key issues) Citrix: Duo for remote access only

5 SANS Technology Institute - Candidate for Master of Science Degree 5 2-Factor for Web Applications “The new version of X won’t need a VPN because it uses a secure web server” Some web applications limited by IP Moving toward single sign-on with Shibboleth, Duo 2-factor authentication To some vendors, “single sign-on” means the portal caches your password

6 SANS Technology Institute - Candidate for Master of Science Degree 6 About SAML and Shibboleth SAML: Security Assertion Markup Language OASIS standard Shibboleth: Internet2 open source Identity Provider (IdP): Java J2EE Service Provider (SP): Apache & IIS Sort of like OpenID, but with XML

7 7 Gnarly SAML2 Flow Diagram

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Federation and Attributes An academic publisher wishes to make scientific journals available to currently enrolled students, but not faculty or alumni, at universities that have paid a site license fee. Claims-based systems work best here Privacy: credentials without identity

9 SANS Technology Institute - Candidate for Master of Science Degree 9 Distributed Live Demo https://login.carleton-edu.com/ Password for “user1” is “1” And so on up to “user200” and “200” “user1” can log on with just a password; all others require 2-factor enrollment

10 SANS Technology Institute - Candidate for Master of Science Degree 10 Please Do Try This At Home http://go.carleton.edu/shibcentos6 Fully configured CentOS, OpenLDAP, Shibboleth IdP and SP, 2-factor auth with MCB and DuoSecurity OVF format, VMWare appliance Root password: shibboleth

11 SANS Technology Institute - Candidate for Master of Science Degree 11 What’s in the Box? CentOS 6, Tomcat, Apache Shibboleth 2.4.1 Internet2 Multi Context Broker DuoSecurity web integration Thanks to InCommon and University of Chicago for writing & packaging code, so it’s “just a matter of following directions”

12 SANS Technology Institute - Candidate for Master of Science Degree 12 About STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Adam Shostack’s Threat Modeling

13 SANS Technology Institute - Candidate for Master of Science Degree 13 What I Learned From STRIDE Brainstorm broad categories, rather than checklists like OWASP Top 10 Securing complex applications is complicated Key management the most important, most neglected facet of crypto

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Shib/SAML2 Metadata Vulns Many service providers tell you to set encryptAssertions="never" encryptNameIds="never“ Many identity providers fail to check signatures on imported metadata – a serious key management issue

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary More centralized authentication can be stronger authentication: 2-factor, etc. Central authentication is a target Shibboleth+MCB+Duo works! Full research findings at http://go.carleton.edu/shibcentos6

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,"

Similar presentations

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Will Darby 91.514 5 April 2010.  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.

Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.

Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Authentication via campus single sign-on 2012 VIVO Implementation Fest.

Authentication via campus single sign-on 2012 VIVO Implementation Fest.
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.

Cancún - Mexico, Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google