an introduction of several development activities related ...€¦ · an introduction of several...
TRANSCRIPT
An introduction of several development activities related to Shibboleth and
Web browser-based simple PKI Toyokazu Akiyama1, Motonori Nakamura2,
Takeshi Nishimura2, Kazutsuna Yamaji2, Yukiko Kawai1
1Kyoto Sangyo University, Japan 2National Institute of Informatics, Japan
Contents
• Developments related to Shibboleth
– omniauth-shibboleth
– rack-saml
• Developments related to “Simple PKI”
– A Testing Framework for PKI applications using Web Cryptography API
Developments related to Shibboleth
Shibboleth and its application development
• Shibboleth – SAML2 SSO middleware
– Identity Provider (IdP) runs on Java Application Container (e.g. Jetty)
– Service Provider (SP) can be constructed using Apache module (mod_shib) • User attributes are passed as environment variables
• Deployment Issue – Difficult to support various languages and frameworks
used to develop web applications (SP)
An Example: Ruby on Rails
• Easy to implement Web applications using Model/View/Controller pattern
• Easy to integrate a Rails application with Shibboleth SP (mod_shib)
Web Server/Load Balancer (Apache, Nginx)
CGI, Web Server module (mod_php, mod_passenger)
Ruby on Rails
Terminate TCP
Pass requests to Scripting Languages
Handle requests by codes in respect for DRY and CoC
Rails application
add some codes for
Shibboleth
Rack middleware HTTP handlers like Servlet
mod_shib shibd
Ruby
An Example: Ruby on Rails
• GitLab (Ruby on Rails application)
– https://about.gitlab.com/ • One of the major software repository
– Community Edition can be downloaded for constructing private Git repository
– It’s still easy to add Shibboleth related codes, but …
Web Server/Load Balancer (Apache, Nginx)
CGI, Web Server module (mod_php, mod_passenger)
Ruby on Rails
GitLab add some codes for
Shibboleth
Rack middleware
Frequent updates
Just one of the options of
authentication
Do you want to patch GitLab every time?
mod_shib shibd
OmniAuth
• Standardized Multi-Provider Authentication for Rack middleware
– RAILSCASTS #241
• http://railscasts.com/episodes/241-simple-omniauth
– GitLab supports OmniAuth
Web Server/Load Balancer (Apache, Nginx)
CGI, Web Server module (mod_php, mod_passenger)
Ruby on Rails
Rails application
Rack middleware HTTP handlers like Servlet OmniAuth
A Solution
Brief Overview of OmniAuth
• OmniAuth supports multiple authentication
– Authentication provider: OmniAuth Strategy
• Multiple providers are handled by URI routing
$APP_PATH/auth/:provider/ (1) Start Authenticating
$APP_PATH/auth/:provider/callback (2) Pass the result to Web App as a session variable
Auth Hash Schema
{ “provider”: “twitter”, “uid”: “toyokazu”, “info”: { “name”: “Toyokazu Akiyama”} }
facebook, twitter, ldap, oauth, openid
omniauth-shibboleth
omniauth-shibboleth
• You need to do is…
– Protect /auth/shibboleth/callback by mod_shib
– Add configuration file to your App
• That’s all
– omniauth-shibboleth repack the SAML attributes to Auth Hash Schema
Rails example % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth end
omniauth-shibboleth
• Flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => "uid", :name_field => "displayName", :info_fields => { :email => "mail", :location => "contactAddress", :image => "photo_url", :phone => "contactPhone" } } end
SAML Attributes Auth Hash Schema
omniauth-shibboleth
• More flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => lambda {|request_param| request_param.call('eppn') || request_param.call('mail') }, :name_field => lambda {|request_param| "#{request_param.call('cn')} #{request_param.call('sn')}“ }, } end name is concatenation of ‘cn’ and ‘sn’
uid is ‘eppn’ or ‘mail’
IdP administrators will be released from the complex attribute mapping at IdP
Apache configuration problem (1/2)
• An example Rails App hosting architecture using mod_passenger
Apache mod_shib
shibd
mod_passenger
Web Server
Rails App process
Rails App process
SAML attributes are passed as environment variables Web Browser
Passenger HelperAgent
・・・
spawn
About detailed Passenger architecture, please refer: https://www.phusionpassenger.com/documentation/Design%20and%20Architecture.html
ApplicationPool
If we can configure Apache, there is NO PROBLEM.
Apache configuration problem (2/2)
• An example Cloud hosting architecture
– e.g. Heroku (Rails application hosting)
Apache mod_proxy
Web Server (Managed by Hosting Service Provider)
Application Server (Managed by Cloud User)
Rails on
Unicorn
Unable to install mod_shib
mod_shib function is
required here
Web Browser
rack-saml
rack-saml
• Pure Ruby Shibboleth SP (Rack middleware)
• Cooperate with omniauth-shibboleth easily
• SAML metadata importing tool is provided
Web Server/Load Balancer (Apache, Nginx)
CGI, Web Server module (mod_php, mod_passenger)
Ruby on Rails
Rails application
Rack middleware HTTP handlers like Servlet Rack::SAML
Since OmniAuth and Rack::SAML are Rack::Middleware, they can be used NOT ONLY for Rails but also for the
other frameworks
supplement
Developments related to “Simple PKI”
Recent Web technology changes • WebRTC (Web Real-Time Communication)
– APIs for real-time communication • Local device operation • P2P communication
– Enables “voice chat” without Plug-ins – Standardization is ongoing at W3C and IETF
• An example application – SkyWay (NTT Communications)
• WebRTC platform for application developers • Construct a new App without preparing servers
– Signaling server (PeerJS server) is required for P2P communication
• For Authentication & Encrypted communication – DTLS-SRTP is used
An issue in DTLS-SRTP for P2P communication (1/3)
• The signaling server (provided by application provider) must guarantee the authentication of end-users
A
Self-signed certificate
A
User A User B
B B
Self-signed certificate
Key exchange in DTLS-SRTP
Shared key
Signaling server
Issues in DTLS-SRTP for P2P communication (2/3)
• The signaling server (provided by application provider) must guarantee the authentication of end-users
A A’
User A User B
B B’
Key exchange in DTLS-SRTP
Man-in-the-middle attack
Shared key 1 Shared key 2
fake certificate
fake certificate
Signaling server
Issues in DTLS-SRTP for P2P communication (3/3)
• Increase of application providers makes it difficult for users to judge their trustworthiness
Trustworthy? or
Not Trustworthy?
Signaling servers
An approach to improve trustworthiness
• Use trusted third party certificate (PKI)
A A
User A User B
B B
signed certificate
signed certificate
Trusted third party signing server
signed certificate
signed certificate
Signaling server
Issues in PKI
• Strict PKI requires high operation cost
– Online signing service can be used
• PKI requires users to operate Key pairs
PKI key management problem
• Personal certificate in Keychain Access
Country Organization
CN
Country Organization
CN
If the user name is the same, it may be difficult for users to distinguish the certificates.
It may also be difficult for users to choose the proper certificate for the proper application by Issuer Name.
Issuer Name Issuer Name
An approach to solve PKI Key management problem
• Automatic key selection
– If PKI keys are managed in JavaScript, it is possible to choose the key automatically by Web Apps
• Issues in JavaScript-based Key management
Issues in JavaScript-based Key management
• Pure JavaScript PKI related libraries – jsrsasign, PKI.js
• Store keys into the storage where accessible from JavaScript – Example Issue:
Entities stored in HTML5 Local Storage can be accessed by any remote script
JavaScript
Script A
Script B
Private key
Secure Key Storage must be used
An approach to solve Key management in JavaScript
• Using Web Cryptography API
– JavaScript API for performing basic cryptographic operations in web applications
– The specification discusses Key management issues
• However, key management specification itself is out of scope (will be defined as the other standard?)
• Issues
– Standardization is ongoing
– Implementations are not finished
Construct Testing Framework for Applications using Web Cryptography API (1/2)
• Implementation of Testing Framework
– Separate key operations into the Key Management Server (KMS)
• KMS is implemented using Node.js & node-forge
JavaScript
App Script
Private keys with key_id
Web Cryptography API encrypt( key_id, …) decrypt( key_id, …) …
include
Key Management Server (KMS) Running on local PC
Key operation is done in KMS
API call is mapped to socket.io
communication
Construct Testing Framework for Applications using Web Cryptography API (2/2)
• Implement an example application
– Online certificate issuance application
Key Management Server
Client PC
CA Server
Input Password
via GUI
Per user key management folder
Per user process PKCS #12
PKCS #12
PKCS #12
Private key
Public key
Online cert issuance
App Script
Public key
Signed Public key
socket.io
socket.io
Generate a key pair
socket.io
Future Work
• Adjust interface more Web Cryptography API compatible
• Implement DTLS-SRTP using Testing Framework
• Consider design and implementation of automatic key management
Conclusion
• Developments related to Shibboleth
– omniauth-shibboleth
– rack-saml
• Developments related to “Simple PKI”
– A Testing Framework of PKI applications using Web Cryptography API