• No results found

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Web Application Entity

Session Management using the eID Card

Frank Cornelis

03/03/2010

(2)

What is Entity Authentication?

 Entity authentication is the process whereby one party is assured of the identity of a second party involved in a protocol, and that the

second has actually participated (i.e., is active at, or immediately prior to, the time the

evidence is acquired)

 Formal definition (A authenticated B if):

 Alice A, Bob B

 A believes freshness challenge_A

 A believes (B recently said challenge_A)

 Authentication vs. Session Key Establishment

 How to achieve this using an eID card?

(3)

eID Card

 Authentication Private Key (1024 bit RSA)

 PKCS1-RSA

 PIN authorization for Authn Key usage

 Card caches the authn PIN authorizations

 Log-off instruction to reset PIN authorization

 Creation of a signature:

 Set APDU: select the key. 0x82 = authn key

 Prepare DigestInfo PKCS1 DER sequence

 Verify PIN APDU: (PIN BCD encoded)

 Compute Digital Signature APDU

 Retrieve signature data

 eID can only sign (RSA decryption of DigestInfo)

(4)

eID Certificate Validation

 Authentication Certificate Chain

Authn Cert Citizen CA Cert

Root CA Cert Root CA Cert

GlobalSign CA Cert

Gov CA Cert

SSL Cert same key

CRL

CRL CRL

OCSP Responder

(5)

eID Certificate Validation (cont'd)

 jTrust: eID PKI Validation for Java

 http://code.google.com/p/jtrust/

 Not using the Java Certification Path API (sucks)

 Flexible Architecture (eID Trust Service ready)

Trust Validator

Certificate Repository List of Trust Linkers List of Cert Constraints

Set of Trust Points

Public Key Trust Linker

Fallback Trust Linker OCSP Trust Linker

CRL Trust Linker CRL Repo OCSP Repo

CRL

OCSP Responder eID Trust Service CRL Cache Trust Linker

Root CA

(6)

eID Entity Authentication

 eID Card authentication by itself is useless

 Remote Entities, e.g. web application context.

 We need an Authentication Protocol

 Different Authentication Protocols are possible

 Each Entity Authentication Protocol yields its own cryptographic goals.

 Of course Entity Authentication

 Session key via combined Key Agreement (SSL)

 DO NOT TRY TO INVENT YOUR OWN PROTOCOL!

 Needham-Schroeder protocol: replay attack

 Creativity is great for non-critical applications,

like music.

(7)

Authentication Protocols

 Mutual SSL

 Browser initiated SSL handshake

 Relies on eID PIN authorization caching feature

 Tunneled Entity Authentication

 Uses unilateral SSL to authenticate the server

 Based on ISO/IEC 9798-3 Authentication SASL Mechanism (RFC 3163)

 Cryptographic channel binding to secure the channel (RFC 5056)

 Requires an eID Applet (or browser extension)

 Explicit eID card management possible

 Sequential eID card access possible

(8)

Unilateral SSL (RFC 2246)

Alice Bob

HelloClient(ciphers,Ra) HelloServer(cipher,Rb) Certificate(cert chain)

ClientKeyExchange {pre_master_secret}Kb+

master_secret=PRF(pre_master_secret, Ra, Rb) ChangeCipherSpec

ClientFinish (encrypted)

PRF(master_secret,handshake_msgs) ChangeCipherSpec

ServerFinish (encrypted)

PRF(master_secret,handshake_msgs)

Entity Authentication

A believes freshness Ra

A believes B recently said Ra

ServerHelloDone

Ra: random by A Rb: random by B Kb+: public key of B pre_master_secret:

random by A

PRF: pseudo-random function

session_key=F(master_secret) Validate

cert

chain

(9)

Unilateral SSL features

 Resuming a TLS connection

 HelloClient(session_id)

 Reusing the same master_secret

 Reduces load due to a full TLS handshake

 Renegotiating the SSL handshake

 Over an already established SSL connection

 Useful when client authentication is required

 Both client and server can initiate a renegotiation

 Not all SSL stacks support this (Java does not)

 Security flaws in implementations

(10)

Mutual SSL using the eID Card

Alice Bob

HelloClient(ciphers,Ra) HelloServer(cipher,Rb) Certificate(cert chain)

ClientKeyExchange {pre_master_secret}Kb+

ChangeCipherSpec ClientFinish (encrypted)

PRF(master_secret,handshake_msgs) ChangeCipherSpec

ServerFinish (encrypted)

PRF(master_secret,handshake_msgs)

Entity Authentication

A believes freshness Ra

A believes (B recently said Ra)

B believes freshness Rb

B believes (A recently said Rb)

CertificateRequest,ServerHelloDone Certificate(cert chain)

CertificateVerify

sign_Ka-(handshake_msgs)

Ra: random by A Rb: random by B Kb+: public key of B pre_master_secret:

random by A

Ka-: private key of A

PRF: pseudo-random

function

(11)

Tunneled Entity Authentication

Alice Bob

Unilateral SSL At this point B still doubts A A trusts B

Challenge

sign_Ka-(Ra,challenge), Ra, cert A

 ISO/IEC 9798-3 Authentication SASL Mechanism

 RFC 3163

 Unilateral client authentication: server already authenticated via unilateral SSL connection

 Did we achieve the same effect as mutual SSL?

 What if challenge actually is SHA1(contract)?

 B can abuse A's challenge signature.

What can B believe at

this point?

(12)

Man-in-the-middle attack on SASL

Alice Mallory

Unilateral SSL

sign_Ka-(Ra,challenge), Ra, cert A

Bob

Unilateral SSL Challenge Challenge

sign_Ka-(Ra,challenge),Ra,cert A

 Mallory can abuse the authentication token of Alice

 Why is this going wrong?

 SSL: sign_Ka-(handshake_msgs) so the signature digests parts of the secure channel's “identity”

 SASL: sign_Ka-(Ra,challenge) does not digest any

part of the secure channel's “identity”

(13)

Channel Binding to Secure Channels

Alice Bob

Unilateral SSL Challenge

Sign_Ka-(Ra,challenge,channel_binding), Ra, cert A

 RFC 5056: cryptographic binding

 channel_binding =

 Hostname B (nice try)

 Inet address B (nice try)

 SSL certificate B (OK)

 SHA1(master_key) (even better)

 A channel binding should really digest part of the channel's “identity”. SSL stack must support this.

SSL

context

(14)

Web Applications

 Uses HTTP over TCP/IP

 HTTP is a stateless protocol

 How to create an HTTP session context?

 Via cookies: Set-Cookie, Cookie HTTP headers

 Via tokens: request token, response token in forms

 Via transport layer (SSL)

 How does an application session context correspond with the user eID login/logout experience?

 Vulnerable to remote attacks due to the

evolutionary nature of the web protocol stack.

(15)

The Webshop Web Application

Welcome Item list

View Cart

eID

login pay eID

logout Add to Cart

 We need a stateful protocol for the shopping cart

 We need to be able to trust the web application

 We want privacy during all steps

 We want eID authentication during payment

 Machine could be shared between users

 Different solutions are possible!

(16)

The Webshop: Trust and Privacy

 Using unilateral SSL using a trusted server cert.

 Different network topologies are possible.

Internet firewall

SSL Terminator

Hardware or HTTPD

Application Server

 Everything behind SSL to prevent session cookie stealing.

 AJP preferred between HTTPD and AS

(17)

The Webshop: Statefulness

 Using a session cookie initiated by the Application Server, protected by SSL.

A B

GET index.html index.html GET list.jsf

list.jsf

SSL connection

POST add_item.jsf

Set-Cookie: 123456, success.jsf Cookie: 123456, GET list.jsf

list.jsf

Cookie: 123456, GET cart.jsf cart.jsf

App Server

HTTP Session

context Browser

Cookie Lifecycle SSL

session

(18)

The Webshop: eID SSL authentication

 First we try out the mutual SSL scheme

 Application Server driven SSL renegotiation to instantly enable mutual SSL is tricky, especially for hardware SSL termination.

Internet firewall

SSL Terminator

Hardware or HTTPD

Application Server SSL

reneg?

 We don't want to enable mutual SSL during the

entire web application user session.

(19)

The Webshop: eID SSL authentication

 So we need two SSL terminations:

 One for unilateral SSL

 One for the mutual SSL using eID

 Requires 2 IP addresses (+ DNS names), or at least 2 different ports.

Internet firewall

SSL Terminator

Application Server eID SSL

Terminator

 Problem: how to properly link the SSL sessions?

 If same IP address, via session cookies

 If different IP address, via signed SAML tickets

(20)

The Webshop: eID SSL authentication

 How about session life cycles?

 The Application Server cannot inform SSL to terminate that easily...

A B

Unilaternal SSL

Mutual SSL Handshake

Magical SSL Session Linking eID Login

Show profile, payments Logout

index.html eID

SSL

eID PIN authz caching

Server SSL

eID Login

Show profile eID SSL session still alive!!!

Short SSL sessions? :) What if the web

application wants to

sign a contract with

eID of citizen C???

(21)

The Webshop: eID authentication

 eID authentication using a tunneled solution.

 It just works as expected.

 No more SSL session life cycle issues

 No more SSL handshake exceptions due to missing eID card

 Can reuse the eID card for signing within webapp

 Can explicitly logoff the eID card

(22)

eID Applet Architecture

Web Page eID Applet

Target Page

eID Applet Service

HTTP Session

SPI

Service Implementation

Web Browser Web Container

1

2

3

4 3 5

6 jTrust

(23)

Thank you

Fedict

Maria-Theresiastraat 1/3 Rue Marie-Thérèse Brussel 1000 Bruxelles

TEL. +32 2 212 96 00 | FAX +32 2 212 96 99 [email protected] |

www.fedict.belgium.be

Fedict cannot be held liable for any direct or indirect damages arising from the usage of the information provided by this

presentation.

The views expressed in this presentation can change over time

due to new evolutions and/or new insights.

References

Download now ( PDF - 23 Page - 244.82 KB )

Related documents

eid Security Frank Cornelis Architect eid fedict All rights reserved

ID ADDRESS RRN SIGN RRN SIGN IDENTITY “PIN protected” authentication digital signature PKI private public private public..

Analysis of vertical reinforcement in slender reinforced concrete (tilt-up) panels with openings & subject to varying wind pressures

With the Alternative Design of Slender Walls method, vertical reinforcement was determined for tilt-up wall panels subject to axial load and out-of-plane uniform lateral wind

Community School Legislative History

282, enacted in fall 1999, allowed for the expansion of start-up community schools to the 21 largest urban public school districts (all Ohio ‘urban eight’ districts plus

LSAT_PT_65

(B) It is the argument’s only conclusion, and each of the other statements in the argument is used to support it. (C) It is a statement for which some evidence is provided

Securities Transaction Taxes for U.S. Financial Markets

As a hypothetical ex- ercise, if we raise the stock transaction tax rate to 0.5 percent and assume no decline in trading volume, the 2000 revenue generated by the tax would be

An Appraisal of Demurrage Policies and Charges of Maritime Operators in Nigerian Seaport Terminals: the Shipping Industry and Economic Implications

Amiwero (2015) is of the view that the five-day nationwide strike and protests over the removal of fuel subsidy, leading to the shutdown of activities at Nigerian ports, is

Feasibility of including APF gel application in a school oral health promotion program as a caries-preventive agent: a community intervention trial

Even at 6 and 12 months, there was no statistically significant difference in mean DMFT and DMFS values between the experimental and control groups, because the mean time required for

An Evaluation of the Psychometric Properties of the Test of Dyslexia-Rapid Assessment Profile

Do subtests of the TOD-RAP significantly predict students’ reading achievement as defined by Woodcock Johnson III (WJ-III) Tests of Achievement Reading Fluency, Wide Range