An introduction of several development activities related to Shibboleth and Web browser-based simple PKI

An introduction of several development

activities related to Shibboleth and

Web browser-based simple PKI

Toyokazu Akiyama

_{, Motonori Nakamura}

_,

Takeshi Nishimura

_{, Kazutsuna Yamaji}

_{, Yukiko Kawai}

_{Kyoto Sangyo University, Japan}

Contents

• Developments related to Shibboleth

– omniauth-shibboleth

– rack-saml

• Developments related to “Simple PKI”

– A Testing Framework for PKI applications using

Web Cryptography API

Developments related to

Shibboleth

Shibboleth and its application

development

• Shibboleth

– SAML2 SSO middleware

– Identity Provider (IdP) runs on Java Application

Container (e.g. Jetty)

– Service Provider (SP) can be constructed using Apache

module (mod_shib)

• User attributes are passed as environment variables

• Deployment Issue

– Difficult to support various languages and frameworks

used to develop web applications (SP)

An Example: Ruby on Rails

• Easy to implement Web applications using

Model/View/Controller pattern

• Easy to integrate a Rails application with

Shibboleth SP (mod_shib)

Web Server/Load Balancer (Apache, Nginx)

CGI, Web Server module (mod_php, mod_passenger)

Ruby on Rails

Terminate TCP

Pass requests to Scripting Languages

Handle requests by codes in respect for DRY and CoC

Rails application add some codes for Shibboleth Rack middleware HTTP handlers like Servlet

mod_shib shibd Ruby

An Example: Ruby on Rails

• GitLab (Ruby on Rails application)

–

https://about.gitlab.com/

• One of the major software repository

– Community Edition can be downloaded for constructing

private Git repository

– It’s still easy to add

Shibboleth related codes,

but …

Web Server/Load Balancer (Apache, Nginx)

CGI, Web Server module (mod_php, mod_passenger) Ruby on Rails GitLab add some codes for Shibboleth Rack middleware Frequent updates

Just one of the options of authentication

Do you want to patch GitLab

every time?

OmniAuth

• Standardized Multi-Provider Authentication

for Rack middleware

– RAILSCASTS #241

•

http://railscasts.com/episodes/241-simple-omniauth

– GitLab supports

OmniAuth

Web Server/Load Balancer (Apache, Nginx)

CGI, Web Server module (mod_php, mod_passenger)

Ruby on Rails Rails application Rack middleware HTTP handlers like Servlet

OmniAuth

Brief Overview of OmniAuth

• OmniAuth supports multiple authentication

– Authentication provider: OmniAuth Strategy

• Multiple providers are handled by URI routing

$APP_PATH/auth/

:provider

/

(1) Start

Authenticating

$APP_PATH/auth/

:provider

/callback

(2) Pass the result

to Web App as

a session variable

Auth Hash Schema

{

“provider”: “twitter”, “uid”: “toyokazu”,

“info”: { “name”: “Toyokazu Akiyama”} }

facebook, twitter, ldap, oauth, openid

omniauth-shibboleth

• You need to do is…

– Protect /auth/shibboleth/callback by mod_shib

– Add configuration file to your App

• That’s all

– omniauth-shibboleth repack the SAML attributes

to Auth Hash Schema

Rails example

% vi config/initializer/omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth

omniauth-shibboleth

• Flexible attribute mapping

% vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => "uid", :name_field => "displayName", :info_fields => { :email => "mail", :location => "contactAddress", :image => "photo_url", :phone => "contactPhone" } } end

SAML Attributes

Auth Hash Schema

omniauth-shibboleth

• More flexible attribute mapping 

% vi config/initializer/omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, {

:uid_field => lambda {|request_param|

request_param.call('eppn') || request_param.call('mail') },

:name_field => lambda {|request_param|

"#{request_param.call('cn')} #{request_param.call('sn')}“ },

}

end

name is concatenation of ‘cn’ and ‘sn’

uid is ‘eppn’ or ‘mail’

Apache configuration problem (1/2)

• An example Rails App hosting architecture

using mod_passenger

SAML attributes are passed as environment variables Web Browser Passenger HelperAgent ・ ・ ・ spawn

About detailed Passenger architecture, please refer:

https://www.phusionpassenger.com/documentation/Design%20and%20Architecture.html ApplicationPool

If we can configure Apache, there is NO PROBLEM.

Apache configuration problem (2/2)

• An example Cloud hosting architecture

– e.g. Heroku (Rails application hosting)

Apache

mod_proxy Web Server (Managed by Hosting Service Provider)

Application Server

(Managed by Cloud User) Rails on Unicorn Unable to install mod_shib mod_shib function is required here Web Browser

rack-saml

• Pure Ruby Shibboleth SP (Rack middleware)

• Cooperate with omniauth-shibboleth easily

• SAML metadata importing tool is provided

Web Server/Load Balancer (Apache, Nginx)

CGI, Web Server module (mod_php, mod_passenger)

Ruby on Rails Rails application Rack middleware HTTP handlers like Servlet

Rack::SAML

Since OmniAuth and Rack::SAML are Rack::Middleware, they can be used

NOT ONLY for Rails but also for the other frameworks

Developments related to

“Simple PKI”

Recent Web technology changes

• WebRTC (Web Real-Time Communication)

– APIs for real-time communication

• Local device operation • P2P communication

– Enables “voice chat” without Plug-ins

– Standardization is ongoing at W3C and IETF

• An example application

– SkyWay (NTT Communications)

• WebRTC platform for application developers • Construct a new App without preparing servers

– Signaling server (PeerJS server) is required for P2P communication

• For Authentication & Encrypted communication

An issue in DTLS-SRTP for P2P

communication (1/3)

• The signaling server (provided by application provider)

must guarantee the authentication of end-users

A Self-signed certificate A User A User B B B Self-signed certificate Key exchange in DTLS-SRTP Shared key Signaling server

Issues in DTLS-SRTP for P2P

communication (2/3)

• The signaling server (provided by application provider)

must guarantee the authentication of end-users

A A’ User A User B B B’ Key exchange in DTLS-SRTP Man-in-the-middle attack

Shared key 1 Shared key 2

fake certificate fake certificate Signaling server

Issues in DTLS-SRTP for P2P

communication (3/3)

• Increase of application providers makes it

difficult for users to judge their trustworthiness

Trustworthy?

or

Not Trustworthy?

An approach to improve

trustworthiness

• Use trusted third party certificate (PKI)

A A User A User B B B signed certificate signed certificate

Trusted third party signing server signed certificate signed certificate Signaling server

Issues in PKI

• Strict PKI requires high operation cost

– Online signing service can be used

PKI key management problem

• Personal certificate in Keychain Access

Country Organization CN Country Organization CN

If the user name is the same, it may be difficult for users to

distinguish the certificates.

It may also be difficult for users to choose the proper certificate

for the proper application by Issuer Name.

Issuer Name Issuer Name

An approach to solve

PKI Key management problem

• Automatic key selection

– If PKI keys are managed in JavaScript, it is possible

to choose the key automatically by Web Apps

Issues in JavaScript-based Key

management

• Pure JavaScript PKI

related libraries

– jsrsasign, PKI.js

• Store keys into the

storage where accessible

from JavaScript

– Example Issue:

Entities stored in HTML5

Local Storage can be

accessed by any remote

script

JavaScript

Script A Script B

Private key

Secure Key Storage must be used

An approach to solve

Key management in JavaScript

• Using Web Cryptography API

– JavaScript API for performing basic cryptographic

operations in web applications

– The specification discusses Key management issues

• However, key management specification itself is out of

scope (will be defined as the other standard?)

• Issues

– Standardization is ongoing

Construct Testing Framework for Applications

using Web Cryptography API (1/2)

• Implementation of Testing Framework

– Separate key operations into the Key

Management Server (KMS)

• KMS is implemented using Node.js &

node-forge

JavaScript

App Script

Private keys with key_id

Web Cryptography API encrypt( key_id, …) decrypt( key_id, …) …

include

Key Management Server (KMS) Running on local PC

Key operation is done in KMS API call is mapped

to socket.io communication

Construct Testing Framework for Applications

using Web Cryptography API (2/2)

• Implement an example application

– Online certificate issuance application

Key Management Server

Client PC

CA Server

Input Password

via GUI

Per user key management folder Per user process

PKCS #12 PKCS #12 PKCS #12 Private key Public key Online cert issuance App Script Public key Signed Public key socket.io socket.io Generate a key pair socket.io

Future Work

• Adjust interface more Web Cryptography API

compatible

• Implement DTLS-SRTP using Testing

Framework

• Consider design and implementation of

automatic key management

Conclusion

• Developments related to Shibboleth

– omniauth-shibboleth

– rack-saml

• Developments related to “Simple PKI”

– A Testing Framework of PKI applications using

Web Cryptography API