Click here to load reader

An introduction of several development activities related ... · PDF file An introduction of several development activities related to Shibboleth and Web browser-based simple PKI Toyokazu

  • View
    0

  • Download
    0

Embed Size (px)

Text of An introduction of several development activities related ... · PDF file An introduction of...

  • An introduction of several development activities related to Shibboleth and

    Web browser-based simple PKI Toyokazu Akiyama1, Motonori Nakamura2,

    Takeshi Nishimura2, Kazutsuna Yamaji2, Yukiko Kawai1

    1Kyoto Sangyo University, Japan 2National Institute of Informatics, Japan

  • Contents

    • Developments related to Shibboleth

    – omniauth-shibboleth

    – rack-saml

    • Developments related to “Simple PKI”

    – A Testing Framework for PKI applications using Web Cryptography API

  • Developments related to Shibboleth

  • Shibboleth and its application development

    • Shibboleth – SAML2 SSO middleware

    – Identity Provider (IdP) runs on Java Application Container (e.g. Jetty)

    – Service Provider (SP) can be constructed using Apache module (mod_shib) • User attributes are passed as environment variables

    • Deployment Issue – Difficult to support various languages and frameworks

    used to develop web applications (SP)

  • An Example: Ruby on Rails

    • Easy to implement Web applications using Model/View/Controller pattern

    • Easy to integrate a Rails application with Shibboleth SP (mod_shib)

    Web Server/Load Balancer (Apache, Nginx)

    CGI, Web Server module (mod_php, mod_passenger)

    Ruby on Rails

    Terminate TCP

    Pass requests to Scripting Languages

    Handle requests by codes in respect for DRY and CoC

    Rails application

    add some codes for

    Shibboleth

    Rack middleware HTTP handlers like Servlet

    mod_shib shibd

    Ruby

  • An Example: Ruby on Rails

    • GitLab (Ruby on Rails application)

    – https://about.gitlab.com/ • One of the major software repository

    – Community Edition can be downloaded for constructing private Git repository

    – It’s still easy to add Shibboleth related codes, but …

    Web Server/Load Balancer (Apache, Nginx)

    CGI, Web Server module (mod_php, mod_passenger)

    Ruby on Rails

    GitLab add some codes for

    Shibboleth

    Rack middleware

    Frequent updates

    Just one of the options of

    authentication

    Do you want to patch GitLab every time?

    mod_shib shibd

    https://about.gitlab.com/

  • OmniAuth

    • Standardized Multi-Provider Authentication for Rack middleware

    – RAILSCASTS #241

    • http://railscasts.com/episodes/241-simple-omniauth

    – GitLab supports OmniAuth

    Web Server/Load Balancer (Apache, Nginx)

    CGI, Web Server module (mod_php, mod_passenger)

    Ruby on Rails

    Rails application

    Rack middleware HTTP handlers like Servlet OmniAuth

    A Solution

    http://railscasts.com/episodes/241-simple-omniauth http://railscasts.com/episodes/241-simple-omniauth http://railscasts.com/episodes/241-simple-omniauth http://railscasts.com/episodes/241-simple-omniauth http://railscasts.com/episodes/241-simple-omniauth http://railscasts.com/episodes/241-simple-omniauth

  • Brief Overview of OmniAuth

    • OmniAuth supports multiple authentication

    – Authentication provider: OmniAuth Strategy

    • Multiple providers are handled by URI routing

    $APP_PATH/auth/:provider/ (1) Start Authenticating

    $APP_PATH/auth/:provider/callback (2) Pass the result to Web App as a session variable

    Auth Hash Schema

    { “provider”: “twitter”, “uid”: “toyokazu”, “info”: { “name”: “Toyokazu Akiyama”} }

    facebook, twitter, ldap, oauth, openid

  • omniauth-shibboleth

  • omniauth-shibboleth

    • You need to do is…

    – Protect /auth/shibboleth/callback by mod_shib

    – Add configuration file to your App

    • That’s all

    – omniauth-shibboleth repack the SAML attributes to Auth Hash Schema

    Rails example % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth end

  • omniauth-shibboleth

    • Flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => "uid", :name_field => "displayName", :info_fields => { :email => "mail", :location => "contactAddress", :image => "photo_url", :phone => "contactPhone" } } end

    SAML Attributes Auth Hash Schema

  • omniauth-shibboleth

    • More flexible attribute mapping  % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => lambda {|request_param| request_param.call('eppn') || request_param.call('mail') }, :name_field => lambda {|request_param| "#{request_param.call('cn')} #{request_param.call('sn')}“ }, } end name is concatenation of ‘cn’ and ‘sn’

    uid is ‘eppn’ or ‘mail’

    IdP administrators will be released from the complex attribute mapping at IdP 

  • Apache configuration problem (1/2)

    • An example Rails App hosting architecture using mod_passenger

    Apache mod_shib

    shibd

    mod_passenger

    Web Server

    Rails App process

    Rails App process

    SAML attributes are passed as environment variables Web Browser

    Passenger HelperAgent

    ・・・

    spawn

    About detailed Passenger architecture, please refer: https://www.phusionpassenger.com/documentation/Design%20and%20Architecture.html

    ApplicationPool

    If we can configure Apache, there is NO PROBLEM.

  • Apache configuration problem (2/2)

    • An example Cloud hosting architecture

    – e.g. Heroku (Rails application hosting)

    Apache mod_proxy

    Web Server (Managed by Hosting Service Provider)

    Application Server (Managed by Cloud User)

    Rails on

    Unicorn

    Unable to install mod_shib

    mod_shib function is

    required here

    Web Browser

  • rack-saml

  • rack-saml

    • Pure Ruby Shibboleth SP (Rack middleware)

    • Cooperate with omniauth-shibboleth easily

    • SAML metadata importing tool is provided

    Web Server/Load Balancer (Apache, Nginx)

    CGI, Web Server module (mod_php, mod_passenger)

    Ruby on Rails

    Rails application

    Rack middleware HTTP handlers like Servlet Rack::SAML

    Since OmniAuth and Rack::SAML are Rack::Middleware, they can be used NOT ONLY for Rails but also for the

    other frameworks

    supplement

  • Developments related to “Simple PKI”

  • Recent Web technology changes • WebRTC (Web Real-Time Communication)

    – APIs for real-time communication • Local device operation • P2P communication

    – Enables “voice chat” without Plug-ins – Standardization is ongoing at W3C and IETF

    • An example application – SkyWay (NTT Communications)

    • WebRTC platform for application developers • Construct a new App without preparing servers

    – Signaling server (PeerJS server) is required for P2P communication

    • For Authentication & Encrypted communication – DTLS-SRTP is used

  • An issue in DTLS-SRTP for P2P communication (1/3)

    • The signaling server (provided by application provider) must guarantee the authentication of end-users

    A

    Self-signed certificate

    A

    User A User B

    B B

    Self-signed certificate

    Key exchange in DTLS-SRTP

    Shared key

    Signaling server

  • Issues in DTLS-SRTP for P2P communication (2/3)

    • The signaling server (provided by application provider) must guarantee the authentication of end-users

    A A’

    User A User B

    B B’

    Key exchange in DTLS-SRTP

    Man-in-the-middle attack

    Shared key 1 Shared key 2

    fake certificate

    fake certificate

    Signaling server

  • Issues in DTLS-SRTP for P2P communication (3/3)

    • Increase of application providers makes it difficult for users to judge their trustworthiness

    Trustworthy? or

    Not Trustworthy?

    Signaling servers

  • An approach to improve trustworthiness

    • Use trusted third party certificate (PKI)

    A A

    User A User B

    B B

    signed certificate

    signed certificate

    Trusted third party signing server

    signed certificate

    signed certificate

    Signaling server

  • Issues in PKI

    • Strict PKI requires high operation cost

    – Online signing service can be used

    • PKI requires users to operate Key pairs

  • PKI key management problem

    • Personal certificate in Keychain Access

    Country Organization

    CN

    Country Organization

    CN

    If the user name is the same, it may be difficult for users to

Search related