1 sans technology institute - candidate for master of science degree 1 stride towards 2-factor web...
TRANSCRIPT
1SANS Technology Institute - Candidate for Master of Science Degree 1
STRIDE towards 2-factor Web SSO
Rich GravesOctober 2014
GIAC GSE, GCIA, GCIH, GPEN, GSEC, GWAPT, GWEB, GCFE, GAWN, GCPM
@richgraves
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Web single sign-on with Shibboleth• Phishing and stolen credential
defense• Documented, repeatable process• Guided by some theoretical
framework• Give back to the .edu community
SANS Technology Institute - Candidate for Master of Science Degree 3
Strong password policy, but…
SANS Technology Institute - Candidate for Master of Science Degree 4
“Policy” Background
Since 2011, attempt to establish norm that remote access to sensitive data requires two-factor authentication
• OpenVPN: certificate + password• SSH: Duo (or RSA key) (key issues)• Citrix: Duo for remote access only
SANS Technology Institute - Candidate for Master of Science Degree 5
2-Factor for Web Applications
“The new version of X won’t need a VPN because it uses a secure web server”• Some web applications limited by
IP• Moving toward single sign-on with
Shibboleth, Duo 2-factor authentication
• To some vendors, “single sign-on” means the portal caches your password
SANS Technology Institute - Candidate for Master of Science Degree 6
About SAML and Shibboleth
• SAML: Security Assertion Markup Language•OASIS standard
• Shibboleth: Internet2 open source•Identity Provider (IdP): Java J2EE•Service Provider (SP): Apache &
IIS
• Sort of like OpenID, but with XML
7
Gnarly SAML2 Flow Diagram
SANS Technology Institute - Candidate for Master of Science Degree 8
Federation and Attributes
• An academic publisher wishes to make scientific journals available to currently enrolled students, but not faculty or alumni, at universities that have paid a site license fee.
• Claims-based systems work best here
• Privacy: credentials without identity
SANS Technology Institute - Candidate for Master of Science Degree 9
Distributed Live Demo
• https://login.carleton-edu.com/• Password for “user1” is “1”• And so on up to “user200” and
“200”
• “user1” can log on with just a password; all others require 2-factor enrollment
SANS Technology Institute - Candidate for Master of Science Degree 10
Please Do Try This At Home
• http://go.carleton.edu/shibcentos6
• Fully configured CentOS, OpenLDAP, Shibboleth IdP and SP, 2-factor auth with MCB and DuoSecurity
• OVF format, VMWare appliance• Root password: shibboleth
SANS Technology Institute - Candidate for Master of Science Degree 11
What’s in the Box?
• CentOS 6, Tomcat, Apache• Shibboleth 2.4.1• Internet2 Multi Context Broker• DuoSecurity web integration
Thanks to InCommon and University of Chicago for writing & packaging code, so it’s “just a matter of following directions”
SANS Technology Institute - Candidate for Master of Science Degree 12
About STRIDE
SpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
Adam Shostack’s Threat
Modeling
SANS Technology Institute - Candidate for Master of Science Degree 13
What I Learned From STRIDE
• Brainstorm broad categories, rather than checklists like OWASP Top 10
• Securing complex applications is complicated
• Key management the most important, most neglected facet of crypto
SANS Technology Institute - Candidate for Master of Science Degree 14
Shib/SAML2 Metadata Vulns
• Many service providers tell you to set encryptAssertions="never" encryptNameIds="never“
• Many identity providers fail to check signatures on imported metadata – a serious key management issue
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• More centralized authentication can be stronger authentication: 2-factor, etc.
• Central authentication is a target• Shibboleth+MCB+Duo works!
• Full research findings at http://go.carleton.edu/shibcentos6