1SANS Technology Institute - Candidate for Master of Science Degree 1

STRIDE towards 2-factor Web SSO

Rich GravesOctober 2014

GIAC GSE, GCIA, GCIH, GPEN, GSEC, GWAPT, GWEB, GCFE, GAWN, GCPM

@richgraves

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

• Web single sign-on with Shibboleth• Phishing and stolen credential

defense• Documented, repeatable process• Guided by some theoretical

framework• Give back to the .edu community

SANS Technology Institute - Candidate for Master of Science Degree 3

Strong password policy, but…

SANS Technology Institute - Candidate for Master of Science Degree 4

“Policy” Background

Since 2011, attempt to establish norm that remote access to sensitive data requires two-factor authentication

• OpenVPN: certificate + password• SSH: Duo (or RSA key) (key issues)• Citrix: Duo for remote access only

SANS Technology Institute - Candidate for Master of Science Degree 5

2-Factor for Web Applications

“The new version of X won’t need a VPN because it uses a secure web server”• Some web applications limited by

IP• Moving toward single sign-on with

Shibboleth, Duo 2-factor authentication

• To some vendors, “single sign-on” means the portal caches your password

SANS Technology Institute - Candidate for Master of Science Degree 6

About SAML and Shibboleth

• SAML: Security Assertion Markup Language•OASIS standard

• Shibboleth: Internet2 open source•Identity Provider (IdP): Java J2EE•Service Provider (SP): Apache &

IIS

• Sort of like OpenID, but with XML

7

Gnarly SAML2 Flow Diagram

SANS Technology Institute - Candidate for Master of Science Degree 8

Federation and Attributes

• An academic publisher wishes to make scientific journals available to currently enrolled students, but not faculty or alumni, at universities that have paid a site license fee.

• Claims-based systems work best here

• Privacy: credentials without identity

SANS Technology Institute - Candidate for Master of Science Degree 9

Distributed Live Demo

• https://login.carleton-edu.com/• Password for “user1” is “1”• And so on up to “user200” and

“200”

• “user1” can log on with just a password; all others require 2-factor enrollment

SANS Technology Institute - Candidate for Master of Science Degree 10

Please Do Try This At Home

• http://go.carleton.edu/shibcentos6

• Fully configured CentOS, OpenLDAP, Shibboleth IdP and SP, 2-factor auth with MCB and DuoSecurity

• OVF format, VMWare appliance• Root password: shibboleth

SANS Technology Institute - Candidate for Master of Science Degree 11

What’s in the Box?

• CentOS 6, Tomcat, Apache• Shibboleth 2.4.1• Internet2 Multi Context Broker• DuoSecurity web integration

Thanks to InCommon and University of Chicago for writing & packaging code, so it’s “just a matter of following directions”

SANS Technology Institute - Candidate for Master of Science Degree 12

About STRIDE

SpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege

Adam Shostack’s Threat

Modeling

SANS Technology Institute - Candidate for Master of Science Degree 13

What I Learned From STRIDE

• Brainstorm broad categories, rather than checklists like OWASP Top 10

• Securing complex applications is complicated

• Key management the most important, most neglected facet of crypto

SANS Technology Institute - Candidate for Master of Science Degree 14

Shib/SAML2 Metadata Vulns

• Many service providers tell you to set encryptAssertions="never" encryptNameIds="never“

• Many identity providers fail to check signatures on imported metadata – a serious key management issue

SANS Technology Institute - Candidate for Master of Science Degree 15

Summary

• More centralized authentication can be stronger authentication: 2-factor, etc.

• Central authentication is a target• Shibboleth+MCB+Duo works!

• Full research findings at http://go.carleton.edu/shibcentos6