Monday, February 23, 2009

Web Services : Brokered Authentication

Context
A client needs to access a Web service. The Web service requires the application to present credentials for authentication so that additional controls such as authorization and auditing can be implemented.

Problem
How does the Web service verify the credentials that are presented by the client?

Forces
Any of the following conditions justifies using the solution described in this pattern:

· The client accesses additional services, which results in the need for a single sign on (SSO) solution. Without a single sign on solution, the client may be forced to authenticate prior to every Web service call or cache the user's credentials within the application. If the user's credentials include a password, caching the password is not recommended because it may pose a security risk.
· The client and the Web service do not trust each other directly. The client and the Web service may not trust one another to manage or exchange shared secrets securely. Establishing trust directly between a client and Web service often requires out of band interactions that can hinder clients and services from interacting dynamically.
· The Web service and the identity store do not trust each other directly. The Web service may be unable to communicate with the identity store directly, because of access control restrictions, network restrictions, or organizational policy.

The following condition is an additional reason to use the solution.

· The client and Web service share a standard access control infrastructure. You can simplify the development of new Web services by standardizing and centralizing the issuance and verification of credentials. You can also centralize the management of data associated with credentials; this reduces the costs associated with identity management.

Solution
Use brokered authentication where the Web service validates the credentials presented by the client, without the need for a direct relationship between the two parties. An authentication broker that both parties trust independently issues a security token to the client. The client can then present credentials, including the security token, to the Web service.

Participants

Brokered authentication involves the following participants:
· Client. The client accesses the Web service. The client provides the credentials for authentication during the request to the Web service.
· Service. The service is the Web service that requires authentication of a client prior to authorizing the client.
· Authentication broker. The authentication broker authenticates clients and maintains authoritative control over security tokens. It also vouches for the client by issuing it a security token.
· Identity store. The entity that stores a client's credentials for a particular identity domain.

Process
1. The client submits an authentication request to the authentication broker.
2. The authentication broker contacts the identity store to validate the client's credentials.
3. The authentication broker responds to the client, and if authentication is successful, it issues a security token. The client can use the security token to authenticate with the service. The security token can be used by the client for a period of time that is defined by the authentication broker. The client can then use the issued security token to authenticate requests to the service throughout the lifetime of the token.
4. A request message is sent to the service; it contains the security token that is issued by the authentication broker.
5. The service authenticates the request by validating the security token that was sent with the message.
6. The service returns the response to the client.

There are different types of authentication brokers. Each type uses different mechanisms to broker authentication between a client and a service. Common examples of an authentication broker include the following:
· X.509 PKI
· Kerberos protocol
· Web Service Security Token Service (STS)

Benefits
The benefits of using the Brokered Authentication pattern include the following:
· The authentication broker manages trust centrally. This eliminates the need for each client and service to independently manage their own trust relationships.
· Solutions built around brokered authentication with a centralized identity provider are often easier to maintain than direct authentication solutions. When new users who require access to any of the clients or Web services are added to the identity store, their credentials are maintained in one central point.
· Two parties participating in brokered authentication do not require prior knowledge of one another to communicate. If a client is modified to call a Web service it has never used before, the Web service requires no changes to its configuration or data to authenticate credentials presented by the client.
· Trust relationships can be established between different authentication brokers. This means that an authentication broker can issue security tokens that are used across organizational boundaries and autonomous security domains.

Liabilities
The liabilities associated with the Brokered Authentication pattern include the following:
· The centralized trust model that is used by Brokered authentication can sometimes create a single point of failure. Some types of authentication brokers, such as the Kerberos Key Distribution Center (KDC), must be online and available to issue a security token to a client. If the authentication broker somehow becomes unavailable, none of the parties that rely on the authentication broker to issue security tokens can communicate with each other. This problem of a single point of failure can be mitigated by implementing redundant or back-up authentication brokers, although this increases the complexity of the solution.
· Any compromise of an authentication broker results in the integrity of the trust that is provided by the broker also being compromised. If an attacker does successfully compromise the authentication broker, it can use the authentication broker to issue security tokens, and conduct malicious activity against parties that trust the authentication broker.

Security Considerations
Security considerations associated with the Brokered Authentication pattern include the following:
· Claims held in security tokens often contain sensitive data, and must be protected in transit, either by using message layer security, or transport level security.
· Security tokens must be signed by the issuing authentication broker. If they are not, their integrity cannot be verified. This could result in attackers trying to issue false tokens.
· A Time of Change/Time of Use vulnerability may exist if the client's account status, identity attributes, or authorization attributes are modified by an account administrator. If these changes are not reflected in the security token, it creates a vulnerability that may lead to invalid clients interacting with the service with elevated privileges.

Wednesday, February 04, 2009

Social Networking Sites – Will the risks increase?

Social Networking sites such as Orkut, Facebook, MySpace have become household names in the recent times. The networking on internet has been experiencing a drift from the old networking sites such as classmates.com to “Web 2.0” sites such as Orkut. The crux still comprises of online user communities sharing information, discovering new contacts and reconnecting with older ones.

The platform in the social networking sites grows via user contributions which are powered by communication channels such as email, chat, message boards. Like-minded individuals can share information and interest and provide feedback and reviews. These sites contain a warehouse of information that can be mined and analyzed. More than 3 years after Facebook was attack by a widespread social networking worm, many sites did patch old vulnerabilities. But the problem has not gone away. While the site owners are gaining profits from this explosion of information correlation, attackers are too seeking benefit from this arrangement. These sites have been hosts to worms, phishing attacks, identity theft, spam and other malware exploits.

The changing times might bring in higher level of integration of these applications with cellular networks too. Mobility and location aware applications might soon dominate on these apps. Cell towers and GPS services might be able to pass your information to whomsoever you wish. The increased smartness in the applications might mean that not only local business and entertainment might use this information to attract you, but you might also be able to meet your friends in the same area of your social network or thrill you by online dating service. The DTH services might also become a social networking hub. While watching your favorite TV programs, you might also be able to see what your friend is watching and chat and review the program rating. Each time a user visits a site; clicks on a link, rate a blog, or chat on specific content, the site will gain intelligence about the user and enhance his social network.

Increased collaboration and sharing of information also increases the risk for an individual. The user typically exposes his/her taste in terms of profile, be it liking a TV channel program, movie, books, celebrity gossips, workplace drama, geek gadgets, etc. The key component of social networking site is high amount of open information of the user. User privacy is at highest risk too because of information correlation and location tracking issues. Many of them may not opt for such services. However, when users see a benefit from using this service they will volunteer by providing little information.

As the security researchers and site owners are aware of security and privacy issues involved in these sites, they try to encapsulate the information at level of city or state for example. Unfortunately the bad guys will still be hanging around with the risk of vast information falling in hands of bad guys.

Spam based attacks have the potential to disrupt these social networking sites as they have been advancing today. The spam exploits will become more convincing social engineering attacks with all this data. Social botnets are another major threat to the social networking sites which can contaminate the site content with fake profiles and testimonials. Security in these sites will depend heavily on server-side defenses which might need to scan all incoming and outgoing traffic and snoop for malicious code.

To conclude, social networking sites will be rapidly expanding, adding user base and functionality and be able to mine and intelligently use user profile, security challenges will be both compelling and threatening.