single sign on se lab 박사 2 학기 조동일. single sign on2 outline sso(single singn-on) 이란...
Post on 19-Dec-2015
227 views
TRANSCRIPT
Single Sign OnSingle Sign On
SE lab 박사 2 학기조동일
Single Sign OnSingle Sign On 22
OutlineOutline• SSO(Single Singn-On) 이란 ?• 관련기술
– 데이터 암호화• RSA• SessionKey• 전자 서명
– 인증 프로토콜• Kerberos• SAML
• IBM Tivoli WebSEAL• Oracle SSO• SSO Issue• 참고자료
Single Sign OnSingle Sign On 33
SSO(Single Sign-On)SSO(Single Sign-On) 이란이란 ??• 인증데이터의 공유• 1997 년 IBM 이 개발• Benefits of single sign-on
– Reducing password fatigue from different user name and password combinations
– Reducing time spent re-entering passwords for the same identity
– Can support conventional authentication such as Windows Credentials
– Reducing IT costs due to lower number of IT help desk calls about passwords
– Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users
– Centralized reporting for compliance adherence
[ SSO 시나리오 1 ]SP : Service Provider IdP : id Provider
[ SSO 시나리오 2 ]
Single Sign OnSingle Sign On 44
관련기술관련기술• 데이터 암호화
– RSA– SessionKey– 전자서명
• 인증 프로토콜– Kerberos– SAML
Single Sign OnSingle Sign On 55
RSARSA• 가장 널리쓰이는 비대칭키 암호화 알고리즘 (= 공개키
암호화 알고리즘 )• 대칭키 암호화의 한계에 의해 개발
– 키 노출
• 1977 년 MIT 의 Ron RRivest, Ad SShamir, Len AAdleman 에 의해 개발
• 키교체 가능• 128bit 키 대칭키 암호화 = 1024bit 키 비대칭키 암호화• 약점
– 암호화 키의 공격– 비대칭암호화에 비해 느린 암호화 속도
Single Sign OnSingle Sign On 66
RSA Work FlowRSA Work Flow
평문 암호화 암호문 복호화 평문
B 개인키B 공개키
A SideA Side networknetwork B SideB Side
Single Sign OnSingle Sign On 77
SessionKeySessionKey• 데이터는 대칭키로 암호화 , 대칭키는 공개키로 암호화• 대칭키 암호화의 장점 + 비대칭키 암호화의 장점• 대표적인 세션키 암호화
– PGP(Pretty Good Privacy)• 1991 년 Phil Zimmermann• email 암호화에 주로 쓰임
– S/MIME(Secure/Multipurpose Internet Mail Extension)• RSA 에 의해 고안• email 암호화에 주로 쓰임
– SSL, TLS• Secure Socket Layer, Transport Layer Security• TCP/IP 트래픽 보안을 위해 개발
Single Sign OnSingle Sign On 88
SessionKey Work FlowSessionKey Work Flow
평문 대칭키암호화 암호문 대칭키복호화 평문
B PrivateKey
대칭키
A SideA Side networknetwork B SideB Side
B PublicKey
비대칭키암호화SessionKey
비대칭키복호화
Single Sign OnSingle Sign On 99
전자 서명전자 서명• 목적
– 데이터 원형에 대한 보증– 데이터가 변조되지 않았다는 증명
• 개인키로 서명 , 공개키로 검증
메시지 메시지
메시지다이제스트알고리즘
메시지다이제스트알고리즘
메시지다이제스트 메시지다이제스트
A PrivateKey A PublicKey
서명알고리즘 서명알고리즘
전자서명
A SideA Side networknetwork B SideB Side
일치성 여부 비교일치성 여부 비교
Single Sign OnSingle Sign On 1010
KerberosKerberos• MIT 에서 Athena 프로젝트의 일환으로 개발• IETF 표준• 특징
– 중앙 집중식 인증 서버– Network 상에 패스워드가 흘러다니지 않음
• 인증절차① 사용자는 User ID 와 패스워드를 입력하여 Kerberos Server 에
인증 요청② Kerberos Server 는 사용자와 Ticket-Granting 서버에 사용자가
입력한 패스워드에 기반하여 만든 Sessionkey 를 전달 , 사용자에게는 Ticket-Granting 서버에서 발급받은 발행일자 , 시간등이 적혀 있는 Server Ticket 을 전달
③ 사용자는 접속하려는 Server 로 Service 요청을 하게 되며 부여받은 Ticket 을 설정에 따라 추가 인증 없이 자유롭게 이용가능
Single Sign OnSingle Sign On 1111
How Kerberos WorksHow Kerberos Works
Single Sign OnSingle Sign On 1212
SAMLSAML• Security Assertion Markup Language• XML-based standard for exchanging authentication and a
uthorization data between security domains• Product of the OASIS Security Services Technical Commit
tee• SAML 구성요소
– Service Provider– User– Identity Provider
Single Sign OnSingle Sign On 1313
SAML Profile OverviewSAML Profile Overview
Single Sign OnSingle Sign On 1414
SAML assertions SAML assertions • Assertion A was issued at time t by issuer R regarding su
bject S provided conditions C are valid• Three types of statements are provided by SAML
– Authentication statements– Attribute statements – Authorization decision statements
Single Sign OnSingle Sign On 1515
SAML protocolsSAML protocols• Describes
– how certain SAML elements are packaged within SAML request– response elements– gives the processing rules
• Three types of SAML queries– Authentication query – Attribute query – Authorization decision query
Single Sign OnSingle Sign On 1616
SAML Request SampleSAML Request Sample<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names.tc:SAML:2.0:protocol" id="njhcchieeahdhddkggacblohicefdfdjbackbpll" Version="2.0" IssueInstant="2008-11-19T21:09:35Z" ProtocolBinding="urn:oasis:names.tc:SAML:2.0:binding:HTTP-Redirect" ProviderName="chodi" AssertionConsumerServiceURL="ACS"/>
Single Sign OnSingle Sign On 1717
SAML Response SampleSAML Response Sample<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#“ ID="bjpohpgolkpiljgpkjlhajhlhdpmblilgipeikja" IssueInstant="2008-11-19T21:14:42Z" Version="2.0"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>Vt2avcp4uoy+aiKXOn5WNaiA+qs=</DigestValue> </Reference> </SignedInfo> <SignatureValue>Qi05A7zhKCvyddFDe1n/lCqJ5P4Yfr3JsQ+nhJZZSWjP25wrnjWs1C/DxkQMCmSD/EIBYl2Z/WmAzYqdnpx2+5/p1V0myZ+NH6R0WZGLmyW+WDuBE4ngPZpe3wm51iSiW+MJ2/VYlRU7fpVMrEqZT1Yq2uv/jTVNxH/1A4YFQ6g=</SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>oSwznf1Lsr8Vqyc1g9tX5kvNFKP6LcOaFlN4a890RUnuQ5JyjFo3uL/nn99IR5HxKOPR/bHq+oSw70olLCCL2nH2ivOBvuAkxxLlUH2LLVGn3juoocsFK5ycOCukSi+fnWpIwrpT5qy7iLnGdnnmyUnmJKDTJ2TVYfWPsJJSzt8=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status> <Assertion ID="ifdjppldlkndhhjljajbaocekdeogonhbleogmjn“ IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> <Issuer>https://www.opensaml.org/IDP</Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">cho</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject> <Conditions NotBefore="2008-11-19T09:14:42Z" NotOnOrAfter="2008-11-20T09:14:42Z"></Conditions> <AuthnStatement AuthnInstant="2008-11-19T21:14:42Z"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion></samlp:Response>
Single Sign OnSingle Sign On 1818
IBM Tivoli WebSEALIBM Tivoli WebSEAL
[ Protecting the Web space with WebSEAL ]
[ The Tivoli Access Manager authorization process ]
Single Sign OnSingle Sign On 1919
Oracle SSOOracle SSO
Single Sign OnSingle Sign On 2020
SSO IssueSSO Issue• Intergration heterogeneous lagecy system
– e.g.,• language : php, java, .net,…• server : HTTP Server, WAS, MTS,…
• Customizing cost• External error
– e.g., network fail,…
• Security– e.g., use cookie
• Identity server down, all service stop
Single Sign OnSingle Sign On 2121
참고자료참고자료• Single sign-on
– http://en.wikipedia.org/wiki/Single_sign-on#cite_note-0• Simplify enterprise Java authentication with single sign-on
– http://www.ibm.com/developerworks/library/j-gss-sso/index.html• SAML V2.0 Holder-of-Key Web Browser SSO Profile Working Draft 08, 3 Nove
mber 2008, OASIS• Security Assertion Markup Language
– http://en.wikipedia.org/wiki/SAML• SAML 을 이용한 SSO Service 의 구현
– http://blog.sdnkorea.com/blog/501• Building Kerberos-Based Secure Services Using Metro
– http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
• SSL on ISC, Part 1: What is SSL and why should I care?– http://www.ibm.com/developerworks/autonomic/library/ac-iscssl1/?S_TACT=10
5AGX55&S_CMP=EDU• IBM Tivoli Access Manager WebSEAL Administrator’s Guide Version
4.1• Oracle® Application Server Single Sign-On Administrator’s Guide 10g Releas
e 2 (10.1.2)