Tag Archives: security

Kerberos & load-balanced OpenSSO – GSS Channel binding exceptions

Recently I’ve been working with a client to build a federated SSO system. One of the requirements was for internal employees to have seamless access using Windows’ Kerberos. This isn’t anything novel, and is something I’ve worked on for a number of organisations – though not for a while. However we came unstuck, with multiple OpenSSO servers behind a load balancer and SSL termination there rather than the servers themselves. It seems that Microsoft have done something entirely reasonable and enhanced the security of their Kerberos implementation, enabling ‘channel binding‘, wherein the requests are bound both to the Service Principal Name of the server requested by the client, and also to the SSL transport.

This breaks when a request arrives through a load balancer, since the underlying hostname doesn’t match that of the client browser request (the load balancer DNS name), and thus the AD domain controller rejects the token. Microsoft made the change enabling this ability in August 2009, in Security Advisory 973811 and then progressively enabled this for clients and servers of theirs, including Internet Explorer.

When channel binding isn’t requested by a server (in this case the OpenSSO servers), in theory it can be ignored, but currently available versions of Java don’t ignore it, instead passing it on to the AD domain controller, the result of which is a GSS Exception in the OpenSSO logs when using Internet Explorer on the client workstation. Firefox isn’t affected as it doesn’t request channel binding.

There are various workarounds which might be applicable to your situation:

If you’re looking to upgrade Java, this fix is available in release candidates of Java 7. It may be available in Java 6u19, but not in the currently release Java 6u18 or prior, unless you’re paying for Java for Business – the fix is in 6u17-rev-b06.

Hopefully this post might prove useful to someone – it took us some time to find the cause of the problem, and the resolution.

Watching my PII

For a while I’ve been thinking about how personal identity data (often called Personally Identifiable Information, or PII) is managed – both as a consumer, and from the perspective of service providers. I’ve been following along with the work being done  by (amongst others) Microsoft, Google and the Kantara Initiative UMA WG, and it seems inevitable that over the next year or so the landscape will have the scope to evolve dramatically; I say ‘have the scope’ because I wonder what this will actually mean from a consumer’s point of view.

The internet landscape of the ‘average Bob’ consumer user has changed significantly over the past year or two, resulting in not only an explosion of logins and of PII scattered everywhere, but of services that allow (or require) this data to be shared from site to site. Bob might well have logins to various sites for online account management (banks, utilities, etc), each of which will hold local copies of his PII (address, DOB, etc), but he also now has a Facebook profile, a Flickr account, and perhaps shares his travel through Dopplr and his location through Google Latitude, and allows his friends to see his data in some or all of these services.

What I want

Because I’m conscious of my PII spreading out over the internet, and of the hassles of managing it all in a secure manner, I’d like a service along the lines of that described by Mark Dixon here to manage it all; though as I commented on his post, I’d like something a bit more outward-facing. My ideal identity service would contain:

  1. Credential Vault: Consolidate credentials into one identity (‘me’), which lets me authenticate to services as appropriate. This should be a standard federated identity (an OpenID, InfoCard or whatever) where it can be, but it should also act as a LastPass-style credential vault where the service provider doesn’t support new-fangled federation. This credential store should be cloud-based, but locally cached, and optionally integrated with my OS (for strong auth via smart card, biometric, etc). The credential actually exposed to the end service will vary (I might want to be totally anonymous, or at least pseudonymous – not traceable from one service to the next), so they don’t necessarily need my strongly authenticated, full-on identity, and this is separate to my level of authentication to the broker (which is by necessity always equal, or stronger).
  2. Attribute Store / Persona Editor, with Assurance: Collect all my PII, and provide an easy way for me to group this into personae (my personalities, if you will) and present this to SPs.  Services should be able to specify that they need a level of assurance, and that the various attributes I provide are true – and my identity store should be able to keep this and present it when needed. As an example, I might just present a name (it might not be real) to a web forum, but my real address, verified by an independent body, when applying for a new credit card.
  3. Auditing and Updating Service: Beyond providing PII to sites, I want to be able to look back and find out who I gave it to. Today, I have no idea how many sites have my addresses (email or physical) – probably thousands over time. I’d like to see a log of this; moreover I’d like to be able to revoke that data from the providers, or force them to update their cache of it from my store when it changes. Furthermore, I want to know where else my data has gone – a list of which of my Facebook friends has synced my contact details to their mobile, perhaps. Ideally I should be able to set terms on registration of what each service can do with my data – this is more of a contractual, rather than technical, assertion.
  4. Sharing and translation: For site-to-site sharing of my data (Dopplr updating my Facebook, for example), OAuth describes how permission can be granted at a service-to-service level, but my Identity Store should be a broker in the middle so I can make decisions in one place. By sitting in the middle, this broker could offer additional services, translating data into a shareable format where a point-to-point service doesn’t already work.

I’d probably be prepared to pay for this, or see it as a value-add service from someone I already have a relationship with, as long as I trusted them with all this data.

What Bob wants

Bob, our ‘average internet user’, doesn’t really understand security. He’s the guy whose PC you have to fix when you go to visit, who has 15 browser toolbars from assorted malware running, and who loves to throw sheep at you on Facebook. He isn’t curious about why all those quizzes exist, and on a quiet Friday night wonders if that Viagra email might actually be a good deal.

He’s got online banking, GMail, Facebook and MSN Messenger. They all use his name (or a variant of) for the login name, and every password is the same, but it’s 8 characters and has a number in it – because his work IT policy says so, and that password is the same too.

Bob doesn’t think about where his PII is going, nor about who has it – at least until he moves house and has to tell dozens of companies – and gets a bailiffs letter because he missed one off the list and bills get sent to his old house. He’d likely be pretty confused with the concept of the identity service I’ve described.

What the services want

Service Providers (like my bank, Facebook, or even government) want me and Bob to use their services. They want to capture enough PII from me to provide that service without scaring me off (because the service is insecure, or they’re taking too much PII) or scaring Bob off (because signup is hard and confusing), in the cheapest way possible. They want users to be ‘sticky’ to their services, locking me in as much as they can so I don’t leave for a competitor. And if they’re less than scrupulous, they can sell all my juicy PII to ad companies.

The attributes actually needed by the service provider, and how sure they need to be that the attribute is trusted, varies according to the service. Twitter doesn’t care that I’m me – unless I’m a celebrity – but the government wants to be pretty sure I’m who I say I am when issuing me a passport.

There aren’t too many standalone Identity Providers, and no ‘Identity Store’ brokers in the way I describe that I’m aware of. The best we have today are things like OpenID and OAuth. These allow me to use the credentials from one service provider to access others, or to set up point-to-point data sharing, but these are far from perfect… Google is of course keen for me to use my Google login to access services like Plaxo or Facebook – but they wouldn’t let me use a credential from these sites to get into all my Google services. This is done to assert the Google brand, and to keep me using their services.

Will we meet in the middle?

The various great technical minds in the identity world will no doubt come up with excellent solutions to a lot of this, but I don’t think the technology is the real challenge; instead, it’s the fact that the bulk of internet users are like Bob.

Service providers are generally not independent enough to build a complete service like this, and for it to be truly trusted, and there isn’t a business case for a standalone identity provider because most people are like Bob, and wouldn’t pay for an identity service.

It’s not all doom and gloom, however. The fact I can use my Facebook, Twitter, Google or Windows Live login to log into multiple sites is a step forward; indeed I even think the ‘NASCAR problem‘ is a good thing, because it’s forcing people to think of elegant ways to move forward. This will over time

I’m not sure there’ll ever be a business case for completely standalone identity providers, but would imagine decent consumer-grade services will evolve out of services like Verisign’s Personal Identity Portal, or equivalents from people who already store lots of your PII (credit agencies, governments, banks etc) when they spot the consumer value in doing so. These will inevitably be multi-tiered services, offering Bob something nice and simple, yet offering me a (perhaps paid-for) more complex service.

As someone working in the identity field, I figure the best way to drive these things forward is to encourage all the Bobs I know to be more aware of their PII and where it goes – if enough of them start to ask questions, the services to support them will fall into place.

OASIS – Identity Management 2009

On 29/30th September, I went to the OASIS Identity Management 2009 forum, the theme of which was ‘Transparent Government: Risks, Rewards and Repercussions’. It was my first time at an OASIS event, and befitting the organisation and the location (it was hosted at NIST), the content was pretty in-depth and technical.

I’d really hoped to convert my scrawled notes into a series of posts on the topics covered, but time has escaped me and so I thought I’d at least post some of the notes I’d taken in rough form so that they didn’t get completely lost… So here are the notes from Day 1. If I get time, I’ll come back and post on some of these topics in more detail!

(There are also plenty of notes from other folks on the event’s Twitter stream, #idm09.)

OASIS IDM 2009 – Day 1

Session 1 – Use of Open Identity Technology In Government

– Leverage existing, open identities for government applications
— New government 2.0 initiative
— Using OpenID / InfoCard vetted providers
— 10 providers -> Can choose which provider / id (Google vs Equifax, for example)

GSA defining ‘profiles’ – sets of standards at specific versions, guaranteed compatible
— Also ‘levels of assurance’ – criteria for various strengths/token types, according to risk/impact of incident
— Not building again, mapping publicly available identities against government assurance levels

–New concept of open trust framework to certify IdPs
— Jointly presented by OpenID, InfoCard foundations
— Outreach to OpenID, InfoCard, InCommon, Liberty and Kantara

–> Open Trust Framework
— Doesn’t presume any existing circles of trust (vs SAML)
— User controlled identity management
— Open, reusable

Anyone can become an IdP, but need to be vetted.

ICAM profiles force private sector IdPs to be precise, to meet the government-specific requirements
It’s a win for the government, industry and the public:

– Govt doesn’t build in a silo
– Industry gets tighter specs to focus on, and drive wider adoption
– Users get reduced numbers of identities, at government levels of assurance

– No verification of assertion attributes, just that attributes are present (e.g. email attribute not checked to be a valid email)

SAML Profile: Already exists, based on existing SAML use cases in govt.

ICAM OpenID Profile:
– Only for sites at LOA1 thus far
– Based on OpenID 2.0
– SSL enforced on all endpoints
– “Directed Identity” approach, i.e. identity appears different to each RP, so no tracking
– Other restrictions defined in profile too, to ensure appropriate security

InfoCard Profile:
– acceptable at LOAs 1-3 (maybe 4)
– Focus on the UI, digital ‘card in wallet’ – card selector in browser
– Can have varying underlying auth methods
– Only supports Managed Cards, IdP issued
– Card auth mechanisms are un/pw, X509, Kerberos, etc

— Truly user-centric would be self-managed

Don Campinella (Equifax)

Spoke about ‘persona control’ – multiple personas for a given identity
Attribute use assurance
Verification of claims

Suggested that a commercial IdP gives experience, data, scale, trust
Better fraud protection and privacy (some liability?)

Discussed at LOA1 use of pairwise unique IDs, pseudonymous: reusable unique identifier given to each RP, but can’t be traced back to the user unless the user shares attributes. Each pairwise identifier can be revoked from the RP.

Quoted that 20% of Medicare/Medicaid fraud is at the service provider, not the user, so we need to authenticate the service providers as well as consumers. This creates the need for a standalone IdP, outside of the RP.

Session 2 – Mary Ellen Callahan (CPO of DHS) & Ari Schwartz (COO – Centre for Democracy & Technology)

MEC on the baseline of govt idm tech – “It’s got to work for my mum” – what happens if something goes wrong? Not just a data breach, but how do you interact with the individual and manage the problem.

– Should have a plan, since nobody’s infallible
– Elements of redress
– Harm-based analysis
– Not just financial loss, but also reputation, etc.
– Maybe even public safety (location data, etc)

-> All about trust of government

Overall message: “Make it as secure as can be, but also plan for the worst. Have a policy to a) deal with it and b) prevent it recurring”

AS – Test of ‘user-managed identity’ is not in the user interface or the technology, but whether the user is on an equal footing with the IdP and the RP.

Session 3 – John Tolbert (Boeing)

Using XACML and ODF for Export & IP controls

Need to have resource (classification, ECCN, USML)  & subject (nationality, location, US person) attributes

For IP controls, there’s an OASIS-XACML-IPC profile.
By using XACML, there’s a simpler, quicker adoption
-> Government can push out standard policy in XACML format to be used in a central decision engine at each org
-> Facilitates quick updates, easier audit – using standardised XACML means standardised rules (though relies on accurate metadata)

Extending this to ODF document control profiles, to match the XACML-IPC profile. This gives end-to-end authorisation, not just at the point of distribution.

Gives the organisation a single set of policies / rules to manage.

Breno de Medeiros (Google)

Drivers for federated identity standards in Google are predominantly credential reuse and social graph sharing

– Social sites ask for passwords for data harvesting
– This is bad! Users are trained then to share passwords (see Linked In, Dopplr, etc)

More reputable sites are less likely to implement APIs for authorisation/delegation as an RP, since they have little to gain. To succeed, providers should give a rich authorisation/delegation API, and a good UI!

Example of Plaxo & Google – OAuth and OpenID combined, but with friendly simple UI. Google account can be used to login to Plaxo, then OAuth allows for sync of contacts.

UI: Per-attribute authorisation is difficult, every additional checkbox makes the UI more complex and prone to rejection by the user. Also noted that users expect a ‘generated’ ID to be pairwise, but a social site ID, or manually created by the user, to be a global, shared identity. Need to be careful as PII could be exposed in URLs (email address, other correlatable data)

Current UI for OpenID that hides the ID is good (‘use your Google/Facebook/Live ID to login’) but isn’t scalable. There needs to be a good browser interface (like InfoCards) for IdP discovery in a privacy-aware way.

Session 4 – SAML 2.0 in government

Karen Higa-Smith (DHS programme manager)
Anil John

Discussion around use of SAML2 for data sharing.
Authentication is already handled by the PIV smart card.

“Profile” created – this is a set of specs at particular levels along with guidelines and implementation documentation for use within government departments. It’s not a ‘standard’, since building these is slow and expensive.

Programme to manage ‘backend attribute exchange’ (BAE).
– Built a deployment profile and documentation
– Build a proof of concept BAE reference implementation, using synthetic data, to show interoperability between multiple vendor products following the BAE profile

– Idea was to document the profile but not to reinvent the wheel, instead to use commercial or free products and existing standards. Programme should allow for multiple approaches and technologies, but to ensure interoperability.
– Encouraging COTS vendors to provide out-of-box support for the US government BAE profile.

Explained two models
1- Direct Attribute Exchange
2 – Brokered Attribute Exchange

In the first case, a simple data exchange using SAML from point-to-point
In the second, smaller departments can use shared infrastructure from a larger department – but the data should be encrypted so that the shared infra provider can’t read the data. This was successfully accomplished using existing SAML standards.

– Specification of supported attributes, name identifier, encryption standards, etc are all specified within the SAML exchange.

– Also integration with the CA, so that user identities can be mapped to those on PIV cards or other certificate issuance.
– Flexible name identifiers, so that there’s no enforcement of a specific unique identifier.

Session 5 – Social Identity

Burton: Leveraging relationships & managing social identity

Discussed benefits of social identity (profiles, social graphs, etc) within the enterprise
e.g. Establishing social data in enterprise portals (skills, expertise, interests)
Leverage within blogs, wikis, forums – munge this data for display on portal -> activity feeds
Allow for ‘following’ of employees, subjects of interest

‘Facebook for enterprise’ – already have business dashboards, sales dashboards – why not a social dashboard?
Supports strategic talent, encouraging interaction, reflects generational shift towards social interactions

BUT
– problems of profile proliferation across multiple internal sites (and external)
– solve this with federation/sharing – but then problems of data leakage?

– Also automated activity stream causes sensitivity issues (e.g. posting on a gay forum, completing a sensitive deal)
– Resolve through access management, but then this risks losing serendipity. Creating a balance of access restrictions and openness is a big challenge.

-> Becomes an even bigger problem when trying to merge social graphs between internal and external tools (Facebook, Linked In)
– Breaking boundary between “work me” and “citizen me”. Is it acceptable for your boss to contact you about work issues on Facebook? Should they know about your out-of-work activities?

Roles:
– Enterprise roles are well defined, though centred around access control
– Social roles proposed, e.g. “News filter”, “wiki gardener”
–> Social ‘talent management’, mining within the enterprise?

Vendor presentations

IDology (Jodi Florence) – identity verification provider
Anakam – government to citizen verification – a sliding scale from anonymous through to vetted proof with liability
Privo (Denise Tayloe) – Parental consent for managing a child’s identity and data sharing

Facebook Security

Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.

That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.

The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.

Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.

The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.

I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.

Privacy and the government

Unfortunately I’m having a busy time of it at the moment, with lots going on both in and out of work. I really wanted to write a decent post around this, but haven’t had the time.

For now, I’ll just link to two articles from the Guardian:

Revealed: police databank on thousands of protesters

This first article shows how police are routinely storing photos and videos of political campaigners or protesters. These people aren’t breaking the law, but their movements and behaviour are being compiled into a large intelligence, to be kept for seven years, alongside evidence of those convicted of public order (or worse) offences. It’s a massive violation of privacy, as far as I’m concerned.

The second article stretches this loss of privacy even further, with the former Whitehall security co-ordinator stating “Finding out other people’s secrets is going to involve breaking everyday moral rules.”

This to me is a staggering admission that the government and civil service are happy to breach the rights of privacy for innocent citizens by routinely capturing and mining it to spot ‘suspicious’ patterns. The data to be collected are “personal information about individuals that resides in databases such as advanced passenger information, airline bookings, and other travel data, passport and biometric data, immigration, identity and border records, criminal records and other governmental and private sector data, including financial and telephone and other communications records.”

Even more worrying (though perhaps unsurprising these days), there’s a good chance the data management will be outsourced to the private sector and not held by the government. This means that private organisations, quite likely outside the UK will be responsible for the security of your financial information, communications records (in other words your phone bills, and likely your emails), and travel records.

It seems there’s little general awareness of the scale of these plans. If you happen to stumble across this post, I recommend you try to learn more about this, and if you feel strongly, write to your MP.

Busy week ahead

So we’re approaching the first major release of my identity management project. It’s taken a while to get us close to the release, mostly through no fault of our own. Given it’s taken us so long, unsurprisingly the ground has moved underneath us.

There’s a new release of Sun Identity Manager just out, version 8.1. This close to a go-live I wouldn’t normally contemplate upgrading, but it seems to have a good set of features worth investigating – not least better SiteMinder integration and open source identity connectors.

A nice touch, whilst terribly dull, is a blog that features updates/changes to the documentation, so you can get notified via RSS of significant updates. Their competitors could learn a lot from this sort of open way of working.

Mining for your rights

Whether in the guise of increasing regulatory pressure, or through a credit-crunch-driven round of redundancies, most organisations of more than a handful of people need to verify the IT access their employees have, comparing this regularly to the rights they should have.

Both in my own experience and through stories of others, it seems most large organisations are woefully bad at doing this – most often conducting adhoc manual reviews, orchestrated by an overworked IT Security team. These are almost always achieved through mailing Excel spreadsheets, or people wandering the office with printouts… “Are you the owner of this system, and if so, what does it do?”

There are far better ways of doing this – both as a one-off, and as a regular exercise.

First step – People

Firstly, you need a good source of people data – ideally your HR system or some kind of directory containing names, job titles, locations and line managers of your employees. It’s important to be able to trust this hierarchy – there’s little point worrying about access rights if you’re not sure whether someone’s still an employee, or who they work for.

Current access rights

Once you know who all your people are, who their managers are and what job they do, you need to determine the access they have.

If you’ve got a provisioning system, great – this will already have a store of the rights in most of your key systems. If not, or for systems beyond the scope of your provisioning tool, you’ll need to capture the user access rights.

For critical applications, you might be forced to report on this sort of thing anyway, but if not, get into the habit of capturing simple files of users and group memberships.

Validation – the challenge

So you’ve now got an employee hierarchy and a series of application rights. To validate, it’s just a matter of checking with a given user and his/her manager that the access is what they need and no more, right? That’s a great theory, but most business managers have no idea what group TRD47 does or why you need to be in it or the hundreds of others that you’re in.

Here’s where that ‘better way of doing things’ comes in – most identity & access vendors now have products for role mining & certification.

Let’s take a big warehouse and into it pour all those lists we collected earlier. Next, we’ll take the following steps:

  • Get line managers to confirm their direct reports
  • Get system owners to describe each access group for their application

From here, we can run some pattern matching giving output like these:

  • All employees get a mail account and Windows login
  • All IT staff get admin rights to their workstation
  • All traders get access to the trading system
  • HR get access to the HR system

Starting with really broad definitions that cover as many people as possible, we gradually narrow down on individual teams, defining the rights they have into business roles. When we’re happy, we can start to validate these roles, having the IT organisation confirm each permission group.

This leaves business managers just to confirm that employees have one of these ‘friendly’ roles.

The second time

Once you’ve captured these role definitions and validated them (and their exception cases), it’s relatively easy to maintain this and conduct regular audits.

Whenever a new system or group is created, this gets captured. If you release a new application, you’re most likely aiming it at a set of users, and this should already have been defined as a role (the London sales team, for example), so you add the new system to that role.

When it comes to your next certification cycle, you need the role owner to confirm that a given role still contains the right systems, and you need line managers to confirm their employees. Much easier than trawling around with Excel.

Moving

In between certification cycles, things are much easier too, especially when you tie your role management tool directly to your provisioning solution (this is pretty easy, as all support standards-based communication). If an employee moves within the organisation, you don’t need to worry about what systems they need access to, or cleaning up the access they had – you’ve just got to add the new role to their profile, and take the old one away.

Likewise for a new joiner or a leaver – their access is well defined, so you know exactly what to give, and what to take away.

So next time someone mails you a spreadsheet asking you to describe what a system does, and who should have access to it, tell them there’s an easier way.