The Beginner's Guide to Alternative Authentication

224dac66704579d941e927965a6220a2?s=47 Chris Cornutt
February 20, 2015

The Beginner's Guide to Alternative Authentication

It's pretty common for developers to go with the same kinds of authentication handling when they're creating their applications with permissions and groups. Unfortunately, as applications grow in side an interact with other systems, this kind of system sags under the weight of its own technical debt. Follow along with me as I talk about some alternatives to the typical RBAC authorization including attribute-based, multifactor, pattern-based and federated identity providers.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

February 20, 2015
Tweet

Transcript

  1. The Beginners Guide to Alternative Authentication Chris Cornutt : @enygma

    - ConFoo 2015
  2. Authentication Authorization

  3. Authentication Authorization

  4. Identity Management

  5. Usual Suspects Access Control? What’s that? Permissions Access Control Lists

    Role-Based Access Controls
  6. None
  7. Attribute-Based Flexible… …to a fault. XACML

  8. Resource Subject Environment Action Attribute-Based Attribute-Based

  9. Resource Subject Environment Action Decider/Enforcer Policy Attribute-Based

  10. <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <!-- This Policy only applies to requests

    on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- Rule to see if we should allow the Subject to login --> <Rule RuleId="LoginRule" Effect="Permit"> <!-- Only use this Rule if the action is login --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions> </Target> <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> </Rule> <!-- We could include other Rules for different actions here --> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
  11. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET
  12. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET
  13. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET
  14. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET
  15. Multifactor Something you have Something you know Something you are

    Someplace
  16. Multifactor

  17. Multifactor Stolen shared secret Steal the thing Copy the thing

    Intercept/masquerade Hijack after use
  18. Federated Identity Portable, standards-based Do you need to host? Removes

    the burden
  19. Federated Identity

  20. Federated Identity IDP

  21. Federated Identity IDP Unification

  22. Federated Identity User-to-user User-to-application Application-to-application Levels of trust

  23. Federated Identity But isn’t that just Single-Sign On? One word…context.

  24. Federated Identity Credentials User attributes Access levels Provisioning Auditing Domain

  25. Single Sign On Credentials Multiple services, one login Interface requirements

    Not always username & password
  26. Single Sign On Primary Domain

  27. Single Sign On Subset of Federation Intranets Remove authentication burden

    Makes users happy…as long as it works.
  28. SAML Security Assertion Markup Langauge Cross-service Passes needed info Version

    2 XML based
  29. SAML Security Assertion Markup Langauge

  30. SAML Security Assertion Markup Langauge Assertions Statements used in IdP

    decisions Protocols How elements are packaged Bindings Mapping of protocol to standard format Profiles Combines assertions, protocols and bindings
  31. SAML Security Assertion Markup Langauge

  32. SAML Security Assertion Markup Langauge Authentication Context Schemas Intranet, MobileTwoFactor,

    PublicKey, SSL/TLS Certificate, etc. Identification information How “secret” is defined
  33. So, which to use? Level of protection needed Current systems

    and integration Defense in depth Risk (Frequency, Probability, Cost) Don’t have to pick just one…
  34. Thanks! Questions? @enygma http://securingphp.com - @securingphp http://websec.io