Download pdf - An introduction of several development activities related ...€¦ · An introduction of several development activities related to Shibboleth and Web browser-based simple PKI Toyokazu

An introduction of several development activities related to Shibboleth and

Web browser-based simple PKI Toyokazu Akiyama1, Motonori Nakamura2,

Takeshi Nishimura2, Kazutsuna Yamaji2, Yukiko Kawai1

1Kyoto Sangyo University, Japan 2National Institute of Informatics, Japan

Contents

• Developments related to Shibboleth

– omniauth-shibboleth

– rack-saml

• Developments related to “Simple PKI”

– A Testing Framework for PKI applications using Web Cryptography API

Developments related to Shibboleth

Shibboleth and its application development

• Shibboleth – SAML2 SSO middleware

– Identity Provider (IdP) runs on Java Application Container (e.g. Jetty)

– Service Provider (SP) can be constructed using Apache module (mod_shib) • User attributes are passed as environment variables

• Deployment Issue – Difficult to support various languages and frameworks

used to develop web applications (SP)

An Example: Ruby on Rails

• Easy to implement Web applications using Model/View/Controller pattern

• Easy to integrate a Rails application with Shibboleth SP (mod_shib)

Web Server/Load Balancer (Apache, Nginx)

CGI, Web Server module (mod_php, mod_passenger)

Ruby on Rails

Terminate TCP

Pass requests to Scripting Languages

Handle requests by codes in respect for DRY and CoC

Rails application

add some codes for

Shibboleth

Rack middleware HTTP handlers like Servlet

mod_shib shibd

Ruby

An Example: Ruby on Rails

• GitLab (Ruby on Rails application)

– https://about.gitlab.com/ • One of the major software repository

– Community Edition can be downloaded for constructing private Git repository

– It’s still easy to add Shibboleth related codes, but …



Ruby on Rails

GitLab add some codes for

Shibboleth

Rack middleware

Frequent updates

Just one of the options of

authentication

Do you want to patch GitLab every time?

mod_shib shibd

https://about.gitlab.com/

OmniAuth

• Standardized Multi-Provider Authentication for Rack middleware

– RAILSCASTS #241

• http://railscasts.com/episodes/241-simple-omniauth

– GitLab supports OmniAuth



Ruby on Rails

Rails application

Rack middleware HTTP handlers like Servlet OmniAuth

A Solution

http://railscasts.com/episodes/241-simple-omniauth






Brief Overview of OmniAuth

• OmniAuth supports multiple authentication

– Authentication provider: OmniAuth Strategy

• Multiple providers are handled by URI routing

$APP_PATH/auth/:provider/ (1) Start Authenticating

$APP_PATH/auth/:provider/callback (2) Pass the result to Web App as a session variable

Auth Hash Schema

{ “provider”: “twitter”, “uid”: “toyokazu”, “info”: { “name”: “Toyokazu Akiyama”} }

facebook, twitter, ldap, oauth, openid

omniauth-shibboleth

omniauth-shibboleth

• You need to do is…

– Protect /auth/shibboleth/callback by mod_shib

– Add configuration file to your App

• That’s all

– omniauth-shibboleth repack the SAML attributes to Auth Hash Schema

Rails example % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth end

omniauth-shibboleth

• Flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => "uid", :name_field => "displayName", :info_fields => { :email => "mail", :location => "contactAddress", :image => "photo_url", :phone => "contactPhone" } } end

SAML Attributes Auth Hash Schema

omniauth-shibboleth

• More flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => lambda {|request_param| request_param.call('eppn') || request_param.call('mail') }, :name_field => lambda {|request_param| "#{request_param.call('cn')} #{request_param.call('sn')}“ }, } end name is concatenation of ‘cn’ and ‘sn’

uid is ‘eppn’ or ‘mail’

IdP administrators will be released from the complex attribute mapping at IdP

Apache configuration problem (1/2)

• An example Rails App hosting architecture using mod_passenger

Apache mod_shib

shibd

mod_passenger

Web Server

Rails App process

Rails App process

SAML attributes are passed as environment variables Web Browser

Passenger HelperAgent

・・・

spawn

About detailed Passenger architecture, please refer: https://www.phusionpassenger.com/documentation/Design%20and%20Architecture.html

ApplicationPool

If we can configure Apache, there is NO PROBLEM.

Apache configuration problem (2/2)

• An example Cloud hosting architecture

– e.g. Heroku (Rails application hosting)

Apache mod_proxy

Web Server (Managed by Hosting Service Provider)

Application Server (Managed by Cloud User)

Rails on

Unicorn

Unable to install mod_shib

mod_shib function is

required here

Web Browser

rack-saml

rack-saml

• Pure Ruby Shibboleth SP (Rack middleware)

• Cooperate with omniauth-shibboleth easily

• SAML metadata importing tool is provided



Ruby on Rails

Rails application

Rack middleware HTTP handlers like Servlet Rack::SAML

Since OmniAuth and Rack::SAML are Rack::Middleware, they can be used NOT ONLY for Rails but also for the

other frameworks

supplement

Developments related to “Simple PKI”

Recent Web technology changes • WebRTC (Web Real-Time Communication)

– APIs for real-time communication • Local device operation • P2P communication

– Enables “voice chat” without Plug-ins – Standardization is ongoing at W3C and IETF

• An example application – SkyWay (NTT Communications)

• WebRTC platform for application developers • Construct a new App without preparing servers

– Signaling server (PeerJS server) is required for P2P communication

• For Authentication & Encrypted communication – DTLS-SRTP is used

An issue in DTLS-SRTP for P2P communication (1/3)

• The signaling server (provided by application provider) must guarantee the authentication of end-users

A

Self-signed certificate

A

User A User B

B B

Self-signed certificate

Key exchange in DTLS-SRTP

Shared key

Signaling server

Issues in DTLS-SRTP for P2P communication (2/3)

• The signaling server (provided by application provider) must guarantee the authentication of end-users

A A’

User A User B

B B’

Key exchange in DTLS-SRTP

Man-in-the-middle attack

Shared key 1 Shared key 2

fake certificate

fake certificate

Signaling server

Issues in DTLS-SRTP for P2P communication (3/3)

• Increase of application providers makes it difficult for users to judge their trustworthiness

Trustworthy? or

Not Trustworthy?

Signaling servers

An approach to improve trustworthiness

• Use trusted third party certificate (PKI)

A A

User A User B

B B

signed certificate

signed certificate

Trusted third party signing server

signed certificate

signed certificate

Signaling server

Issues in PKI

• Strict PKI requires high operation cost

– Online signing service can be used

• PKI requires users to operate Key pairs

PKI key management problem

• Personal certificate in Keychain Access

Country Organization

CN

Country Organization

CN

If the user name is the same, it may be difficult for users to distinguish the certificates.

It may also be difficult for users to choose the proper certificate for the proper application by Issuer Name.

Issuer Name Issuer Name

An approach to solve PKI Key management problem

• Automatic key selection

– If PKI keys are managed in JavaScript, it is possible to choose the key automatically by Web Apps

• Issues in JavaScript-based Key management

Issues in JavaScript-based Key management

• Pure JavaScript PKI related libraries – jsrsasign, PKI.js

• Store keys into the storage where accessible from JavaScript – Example Issue:

Entities stored in HTML5 Local Storage can be accessed by any remote script

JavaScript

Script A

Script B

Private key

Secure Key Storage must be used

An approach to solve Key management in JavaScript

• Using Web Cryptography API

– JavaScript API for performing basic cryptographic operations in web applications

– The specification discusses Key management issues

• However, key management specification itself is out of scope (will be defined as the other standard?)

• Issues

– Standardization is ongoing

– Implementations are not finished

Construct Testing Framework for Applications using Web Cryptography API (1/2)

• Implementation of Testing Framework

– Separate key operations into the Key Management Server (KMS)

• KMS is implemented using Node.js & node-forge

JavaScript

App Script

Private keys with key_id

Web Cryptography API encrypt( key_id, …) decrypt( key_id, …) …

include

Key Management Server (KMS) Running on local PC

Key operation is done in KMS

API call is mapped to socket.io

communication

Construct Testing Framework for Applications using Web Cryptography API (2/2)

• Implement an example application

– Online certificate issuance application

Key Management Server

Client PC

CA Server

Input Password

via GUI

Per user key management folder

Per user process PKCS #12

PKCS #12

PKCS #12

Private key

Public key

Online cert issuance

App Script

Public key

Signed Public key

socket.io

socket.io

Generate a key pair

socket.io

Future Work

• Adjust interface more Web Cryptography API compatible

• Implement DTLS-SRTP using Testing Framework

• Consider design and implementation of automatic key management

Conclusion

• Developments related to Shibboleth

– omniauth-shibboleth

– rack-saml

• Developments related to “Simple PKI”

– A Testing Framework of PKI applications using Web Cryptography API