The Raven Web Authentication Service

Jon Warbrick University of Cambridge Computing Service

jon.warbrick@ucs.cam.ac.uk

What is it?

● Some software– grandly entitled 'The University of Cambridge

Web Authentication System' (ucam-webauth)

● A centrally-managed authentication server– the real 'Raven'

● What does it give you?– an authenticated identity for a web browser user

● Why authentication, why ANOTHER system?

Why do we need authentication?

● Much of the time we don't and shouldn't– the web succeeded because it was free

● But sometimes we do– to control access

– so we know who we are talking to

– to provide customisation, user privacy, etc.

● AAA - Access control, Authentication, Authorization

IP address-based andDNS name-based

● Only does access control● Too lax

– just who has access to a .cam.ac.uk host?

– open proxies

● Too restrictive– working at home, in another department, etc.

● But in practice it's all we've got...– ... at the moment

Public/private keys and PKI

● Client keys/certificates supported in https:● But https: can be overkill● Transporting keys is tricky:

– Please memorise your new 1024-bit private key:– MIICXQIBAAKBgQDf+LNk7CvEBGM5EgJBhhN7sh0yDZdOqVBlmfL5xHJvn3feRGSy

MLvIWiBxZNkYUUOKDPdr/kj3i+FQ+W4udpUscIj6g6OZHhaH1JgdFrfUHu1Jgb8cuTWzTM2yaWj0zcPS8ca4sHGYVzXrUQR7HHMgJjcaLd9QL0rhsnXHcZF9FwIDAQABAoGAcI7kWUv3ksNBumS6jYN8NyYEVitOZ1Hf/a+o1K1NdZuG+kUU9hhXxxDETTiJghcVAkQR9EwPD5lU2wT/wooF3SZ8fvCQz8aynUepdtfvDxh5576sAFNIifFenT6JO8n7k7E+k/nCczioniPWnxuI4XA0oJs7j8QJnaarHUGvvEECQQD9s+CSyWGkvTodHu/q6+vbDQflvxL0sVWGr+6xkI3XdBj/oKIOapgHjZx/Xl9eJB6lpnYlH5LKW2EWEPWIwOolAkEA4f/m6bQY0o9ut5uDGDnJ/Ivf6xDFzySw5TPZgPN+wKdrf3gQmUWkImwAX7ImDHhxK9O6W7p+SJH3/yGyKOJ/iwJBAJfNf7yU/vYBu7oc/tWEYNXrUCRqVj9PtKsorhxVMGoQr7yVMyKJKXqrg066+zlrR2M63UqNP9oRH2CCuUgglnkCQEc7ENy4FtrGum7EZR1NmYwvyfOc5bvUJK0ZGoS6Okkee5NBlHm6qXDv+W4wCC4GCCV4JlSjAwp8d13CkRSxzuECQQDsuG/4/a2w3rBfxcE43wbSTC6PPWJa7WUcx8jQy6s8lHl+ticOSiYv4YqO0djPgBN8EzV7Axy15VFUO7RLutKs

So that leaves us with passwords

● Passwords are well known but little understood

● Users accumulate user-name/password pairs– which they can't remember

– so they use the same ones in lots of different places

● Administrators have to create, issue, re-issue and revoke accounts

Passwords (cont)

● HTTP 'Basic authentication' ● Form-based authentication

– send unencrypted passwords in clear

– this can be resolved with https:

– but we've already said https: can be overkill

● HTTP 'Digest authentication' resolves many problems, but has others of it's own

A central password server?

● Web server asks user for user-name/password

● Web server sends user-name/password for validation to central server

● If validation succeeds, the web server gives the user the resource they want

● ... and can now impersonate the user on every other web server in the system

... and so to Raven

● It's a ...– ... centrally managed ...

– ... password based ...

– ... authentication service for web applications ...

– ... that doesn't give away users' passwords

● Relies on features of HTTP and common browsers, hence limited to web contexts

How does it work?

Start with a web browser

Browser[br]

User requests a URL

Browser[br]

Web Server[ws]

1

br ws : URL

Web server redirects to auth service

Browser[br]

Web Server[ws]

12

ws br : redirect(authURL+request(URL))

Browser contacts auth service

Browser[br]

Web Server[ws]

Auth Server[as]

123

br as : authURL+request(URL)

Auth service and user interact

Browser[br]

Web Server[ws]

Auth Server[as]

1235 4

Auth service redirects to URL+response

Browser[br]

Web Server[ws]

Auth Server[as]

12356 4

*

as br : set_cookie(id), redirect(URL+response(id))

Browser requests URL+response

Browser[br]

Web Server[ws]

Auth Server[as]

12356 74

*

br ws : URL+response(id)

Web server redirects to original URL

Browser[br]

Web Server[ws]

Auth Server[as]

12356 7 84

* *

ws br : set_cookie(id), redirect(URL)

Browser requests URL (again)

Browser[br]

Web Server[ws]

Auth Server[as]

12356 7 8 94

* *

br ws : URL, cookie(id)

and then...

● Subsequent requests to WS authenticated by the local cookie, until it expires

● Subsequent visits to AS can be partially or completely satisfied by the AS cookie until it expires

● The best way to logout is to quit the browser

So what does all this look like?

Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document1.html

Enter user-id and password and click 'Submit' to get:

Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document2.html

Request http://raven.cam.ac.uk/project/testfiles/document1.html

Enter user-id and password and click 'Submit' to get:

Timeout: return to our first document later:

Click 'Continue' to get:

Request http://mnementh.csi.cam.ac.uk/raven-test/private/document1.html

Click 'Continue' and get:

Click 'Cancel' anywhere and get:

Choose 'override login options':

... and get

Account management:

Account management:

Account management:

What doesn't it do?

● Authorization● People without CRSids● POST requests (properly, yet)● Central logout● Anything that isn't web-based● Security

How do you use it?

● Protocol specification http://raven.cam.ac.uk/project/waa2wls-protocol.txt

● Pseudo-code Application Agenthttp://raven.cam.ac.uk/project/algorithm.txt

● ... but that's the hard way

Apache

● mod_ucam_webauth (for Apache 1.3 and 2)● LoadModule ucam_webauth_module \ modules/mod_ucam_webauth.soAACookieKey afef845ce49666ab04b36976a<Directory "/cam-only"> Order allow,deny Allow from .cam.ac.uk AuthType WebAuth Require valid-user Satisfy any AADescription 'Cam-only area'</DirectoryMatch>

Apache (cont)

● Also supports– Require user jw35, rjd4– Require group cs-staff– Satisfy any

● Sets REMOTE_USER environment variable (just like basic auth) and others

● Should be able to use group files, DBM files, databases, ...

Perl CGI script

● #!/usr/bin/perl -w

use Ucam::WebAuth::CGIAA;

my $aa = Ucam::WebAuth::CGIAA->new (cookie_key=>'eb78ba43b0222f28498');

my ($complete, $headers) = $aa->authenticate;print $headers if $headers;exit unless $complete;

my $userid = $aa->principal if $aa->success;

... and more

● A beta release of a PHP module – needs work – any volunteers?

● A JAAS implementation for Java servlet containers (e.g. Tomcat) by CARET

● A Ruby implementation by Thomas Counsell of Clare College

● Anyone for IIS ?

The project plan

● Now– Available on request for testing and pilot

deployments

● Late June (perhaps July...)– Passwords available to everyone

– Available to all cam.ac.uk web servers

● 1 September 2004– Supported service

Where do you go from here?

● Pilots● Deployment from June● Consider expanding 'ucam-only’ access● http://www.cam.ac.uk/cs/raven/● cs-raven-devel-request@lists.cam.ac.uk

If you have been, thanks for listening

I expect you have some questions