06.06.2011
1
© R. Grimm / D. Pähler, Uni Koblenz 1/37
Security for Mobile Applications
SM11: Applications –Remote Login, Access, and Control
R. Grimm, D. PählerInstitute for Information Systems Research
University Campus Koblenz
Content
• Single-Sign-On
– Liberty Alliance
– Shibboleth
• DFN-Roaming
• Remotile
© R. Grimm / D. Pähler, Uni Koblenz 2/37
06.06.2011
2
Single-Sign On – Problem (1)
• Users have many accounts in the network
• Home banking
• Social networks
• Shopping portals
• Ticket booking
• CSCW services (such as cooperative reviewing)
• Local area networks
© R. Grimm / D. Pähler, Uni Koblenz 3/37
Single-Sign On – Problem (2)
• Users have many User-Ids and Passwords
• Biological memory
• Simple-to-guess derivation rules for passwords
• (Un)encrypted written notes
• Dongles
• Password setters (e.g. Firefox)
© R. Grimm / D. Pähler, Uni Koblenz 4/37
06.06.2011
3
Single-Sign On – Definition
• Definition (Pashalidis/Mitchell 2003):
[...] Single Sign-On (SS0), a technique whereby the user authenticates him/herself only once and is automatically logged into [Service Providers] as necessary, without necessarily requiring further manual interaction.
• One Authentication Service (AS) for many services
– Centralized and decentralized solutions
© R. Grimm / D. Pähler, Uni Koblenz 5/37
Centralized Single-Sign On
• Windows Live ID
– formerly ”Microsoft Passport”
– Compatible to MS Passport Network
– MSN Messenger, MSN Hotmail, MSN Music
– More MSN Sites and Services
© R. Grimm / D. Pähler, Uni Koblenz 6/37
06.06.2011
4
Decentralized Single-Sign On
• Liberty Alliance:
– SUN Microsystems, Intel, AOL, ...
– SAML Assertions between home service and requested service
• Shibboleth:
– Internet2/MACE, Open Source License
– SAML Assertions between home service and requested service
• DFN Roaming / Eduroam:
– WLAN access
– European Universities campus solution
– 802.1X security technology for inter-institutional roaming
– Same credentials everywhere as from home
© R. Grimm / D. Pähler, Uni Koblenz 7/37
Content
• Single-Sign-On
– Shibboleth
• DFN-Roaming
• Remotile
© R. Grimm / D. Pähler, Uni Koblenz 8/37
06.06.2011
5
• Liberty Alliance: consortium of ~150 organizations
(commercial & academic), est. 2001
• Aim: Federated Network Identity
– Sign on once, be recognized everywhere (“single-sign on”)
– Distributed personal preferences & histories
• Dangers / Problems:– Centralization?
– Privacy Concerns?
– Mobility?
• Means:
– Open standards, implemented by many providers
– Anonymous user handles (not the same for different websites)
– Operational guidelines for cooperating businesses
– Use of ”ubiquitous” technology on client side
: decentralized AS
© R. Grimm / D. Pähler, Uni Koblenz 9/37
Liberty Alliance – Components
• Service provider:
– offers common web-based service
• Identity provider:
– aggregates service providers to ”Circle of Trust“
– offers single point of trust to users
– service providers may also be identity providers
• Principal (User):
– may be customer of several identity providers,
i.e., have several Circles of Trust
© R. Grimm / D. Pähler, Uni Koblenz 10/37
06.06.2011
6
Liberty Alliance – Circles of Trust
User
Identity Provider A
CSCW
ERP
Identity Provider B /e-Banking
Social Network
Online Shop
Enterprise Circle of Trust
Consumer Circle of Trust
© R. Grimm / D. Pähler, Uni Koblenz 11/37
Liberty Alliance – SSO Example (scenario)
• Scenario:
– user is already logged in at Identity Provider B,
– wants to use Online Shop Website without an additional login
User
Identity Provider B /e-Banking
Social Network
Online Shop
Consumer Circle of Trust
© R. Grimm / D. Pähler, Uni Koblenz 12/37
06.06.2011
7
Liberty Alliance – SSO Example (login protocol to next service)
© R. Grimm / D. Pähler, Uni Koblenz 13/37
SAML – Security Assertion Markup Language
• XML data format specification for
– exchange of authentication and authorization information
between Web services (XML via SOAP)
• Assertions:
– Authentication data, authorization data, session attributes
• Bindings:
– How SAML is embedded into other standard message formats
• Protocol:
– Request and response of SAML-Assertions Bindings
• Profiles:
– Combine the above into use cases
• Can be signed
© R. Grimm / D. Pähler, Uni Koblenz 14/37
06.06.2011
8
SAML assertion types
• Authentication assertions:
– assert that a certain user is who they claim to be
• Attribute assertions:
– assert that a certain user has certain attributes
– (privacy! user control!)
• Authorization decision assertions:
– map users on access methods for objects
© R. Grimm / D. Pähler, Uni Koblenz 15/37
A simple SAMLAuthenticationAssertion
<saml:Assertion
AssertionID="10.255.1.3.1034108172377"
[…]
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions
NotBefore="2002-10-08T20:16:12.307Z
NotOnOrAfter="2002-10-08T22:16:12.307Z"/>
<saml:AuthenticationStatement
AuthenticationInstant="2002-10-08T20:16:12.307Z"
AuthenticationMethod="urn:oasis:names:tc:SAML">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.0"
NameQualifier="Domain Name">
Marc Chanliau
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>http://www/>
<saml:SubjectConfirmationData>
R1VD8fkkvlrhp
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
Source:http://entwickler.com/itr/online_artikel/psecom,id,468,nodeid,69.htmlListing 1 [6.6.2011]
© R. Grimm / D. Pähler, Uni Koblenz 16/37
06.06.2011
9
Content
• Single-Sign-On
– Liberty Alliance
• DFN-Roaming
• Remotile
© R. Grimm / D. Pähler, Uni Koblenz 17/37
: decentralized AS
• Internet2/MACE, Open Source License
• Aim: Easy access mechanism on Web-based services
• Authenticate once at home environment
• Use remote Web-based service on the basis of home authentication
• Web service and home authentication communicate via SAML
© R. Grimm / D. Pähler, Uni Koblenz 18/37
06.06.2011
10
Shibboleth components
• User:
– at any place in the network, e.g. at home, at office (not
necessarily moving!)
• Identity provider (handle server + login server)
– at home
• Service provider
– at any place in the Web, e.g. remote
• WAYF (Where are you from?) server
– localize home of requesting user
© R. Grimm / D. Pähler, Uni Koblenz 19/37
Shibboleth interaction
wayf.deServer
User1. request remote
web service
2. "where areyou from?"
3. selecthome domain
4. redirect to home login
5. login ok
6. login ok:use this handle
Home domainShibboleth IdP
Home domain"login" server
Service Provider
7. SAML: user parametersvia handle
8. provide service4a. if notalreadylogged in:login now
© R. Grimm / D. Pähler, Uni Koblenz 20/37
06.06.2011
11
Comparison: Liberty Alliance vs. Shibboleth
Liberty Alliance Shibboleth
Aim SSO SSO
Main usage area economy science / universities
User mobility not limited (ubiquitoustechnology)
not limited (ubiquitoustechnology)
App. mobility limited (Identity Provider mustbe reachable)
limited (home domain must bereachable)
What does theService knowafterauthorization?
detailed authentication andauthorization information(SAML)
detailed authentication andauthorization information (SAML)
What does theuser get afterauthorization?
a valid session at the serviceprovider
a valid session at the serviceprovider
Trust Basis any service in trust circle home network
© R. Grimm / D. Pähler, Uni Koblenz 21/37
Content
• Single-Sign-On
– Liberty Alliance
– Shibboleth
• DFN-Roaming
• Remotile
© R. Grimm / D. Pähler, Uni Koblenz 22/37
06.06.2011
12
DFN Roaming / Eduroam: decentralized AS
• Aim
– Eduroam for roaming in European universities
– Easy access mechanism on WLANs
– Alternative: web-based authentication
– Same credentials everywhere as from home
– 802.1X security technology for inter-institutional roaming
• Authenticate once at home environment
• Dial into remote WLAN on the basis of home authentication
• "Super-RADIUS" coordinates local RADIUS services
© R. Grimm / D. Pähler, Uni Koblenz 23/37
DFN Roaming interaction (802.1X-based)
DFN top levelRadius routing
User1. request WLAN access (EAP)
"userid@home"
3. selecthome RADIUS
7. WLAN session key
Home domainRADIUS server
air RAS/NAS1)
1) RAS/NAS = Remote/NetworkAccess Service
6. "user is ok", WLANsession key
2. "where isyour homeRADIUS?"
Internet
4. authenticate self, buildencrypted tunnel
5. "userid@home, password"
= encryptedtunnel
© R. Grimm / D. Pähler, Uni Koblenz 24/37
06.06.2011
13
Comparison: (Liberty Alliance/Shibboleth) vs. DFN-Roaming
Liberty A./Shibboleth DFN-Roaming
Aim SSO (to web-sites) remote authentication for networkaccess
Main usage area economy / science,universities
universities
User mobility not limited (ubiquitoustechnology)
limited (host network mustsupport DFN-Roaming, devicemust support 802.1X)
App. mobility limited (IdP/home domainmust be reachable)
none (rather complex setup withinDFN-Roaming-Hierarchy)
What does theService know afterauthorization?
detailed authentication andauthorization information(SAML)
authorization information(boolean, user is either authorizedor not)
What does the userget after auth.?
a valid session at theservice provider
WLAN session key
Trust Basis home ntework home network
© R. Grimm / D. Pähler, Uni Koblenz 25/37
Content
• Single-Sign-On
– Liberty Alliance
– Shibboleth
• DFN-Roaming
© R. Grimm / D. Pähler, Uni Koblenz 26/37
06.06.2011
14
• Software to enable a remotely controlled home
• Backend:– Runs on a server in the house
– Connected to sensors/actuators and ISDN system
– Set of hand-crafted PHP scripts executes commands
• Frontend:– J2ME, runs on Java-capable mobile phones
– Touch-screen-version is also available
• Developed as a ”Diplomarbeit” at the AG Hampe– Was meant to be functional, not secure
© R. Grimm / D. Pähler, Uni Koblenz 27/37
• Backend server is connected to a ”residential gateway”:– Can receive data from arbitrary sensors (e.g., smoke detector) – Can send arbitrary commands to actuators (e.g., turn off oven)
• ISDN is remotely usable:– List of missed calls– Answering machine– Call diversion programmable
• Backend/frontend communication is done via HTTP:– GET/POST supported by practically every network-enabled
device– No SOAP used (overhead!) – Can pass through most firewalls
• J2ME Frontend
Live demonstration of Remotile...
Remotile features
© R. Grimm / D. Pähler, Uni Koblenz 28/37
06.06.2011
15
Review (SM1): Reference model for mobile application security
authentication
air
mobile device
access point
air
mobile device authenticationaccess point
service
Alice
Bob
application object
5
5
2
2
16 3
4
7
7
ICT network
© R. Grimm / D. Pähler, Uni Koblenz 29/37
Concrete examples for failures/attacks in Remotile
1. The connection to the server can be recognized (”user is not at
home”) or even wiretapped
2. The connection can get interrupted (e.g., in a tunnel), leaving the
system in an unclear state
3. Authentication fails because of a software error, legitimate user is
locked out
4. The battery runs out of power, leaving the user unable to control
the system
5. The device gets stolen, the thief can control the system (e.g., turn
the alarm off)
6. User unintentionally misuses the system (e.g., opens the garage
instead of the window shutter)
7. User is talked into lending the phone to a stranger who can then
find out login-credentials for the system
© R. Grimm / D. Pähler, Uni Koblenz 30/37
06.06.2011
16
Countermeasures
1. The connection to the server can berecognized/wiretapped
Encryption, Anonymization (e.g. via JAP)
2. The connection can get interrupted None (at least not pratical, e.g. user doesnot move)
3. Authentication fails (false rejection) Robust E2E authentication protocol
4. The battery runs out of power Fallback access possibility
5. The device gets stolen Per-transaction user authentication,possibility to lock accounts (requiresfallback access, too)
6. User unintentionally misuses thesystem
Easy-to-use interface, protection ofsensitive commands
7. Stranger finds out credentials viasocial engineering
Increasing user awareness, protectedcredentials (e.g., by a separatepassword)
© R. Grimm / D. Pähler, Uni Koblenz 31/37
Alternative to Remotile: ”Hydra“
• Large-scale, 48-month project, funded by the EU
• Finished by the end of 2009
• ”Middleware for networked embedded system“
• Meant for heterogeneous devices
• Communication is done via services in a SOA
• Middleware now available for applications
– http://hydramiddleware.eu.com
© R. Grimm / D. Pähler, Uni Koblenz 32/37
06.06.2011
17
Hydra features
• SOA-based middleware:
– Abstracts from single devices of multiple vendors
– Creates a unified interface
– Reduces the need for hand-crafted sensor- / actuator-
communication
• (Broad) focus on ”ambient intelligence“
(~ ”ubiquitous computing“):
– Shall connect (embedded) devices everywhere
– Scenarios in healthcare (patient-monitoring) and agriculture
(livestock-monitoring) are explicitly formulated and supported
– Multi-purpose in contrast to Remotile
• Security was a design goal from the beginning
© R. Grimm / D. Pähler, Uni Koblenz 33/37
Summary: What we‘ve learnt
• The Single-Sign-On problem
• ”Windows Live ID” alternatives:
– Liberty Alliance
– Shibboleth
• Decentralization of authentication decision and attestation
with DFN Roaming (WLAN)
• Remote management of physical facilities
© R. Grimm / D. Pähler, Uni Koblenz 34/37
06.06.2011
18
References
Shibboleth, MS Passport, Liberty Alliance, Single Sign-on:
A. Pashalidis, C. J. Mitchell, A Taxonomy of Single Sign-On Systems, 2003
Liberty Alliance Project Specifications, http://www.projectliberty.org/resource_center/specifications [6.6.2011]
Technical Information On Bluewin Identity Provider, http://www.projectliberty.org/liberty/content/download/378/2693/file/IdP_Public_TechWhitePaper_Englishv2.3.
pdf [6.6.2011]
Website of Shibboleth: http://shibboleth.internet2.edu/ [6.6.2011]
Detailed technical explanation of Shibboleth: http://www.switch.ch/aai/demo/expert.html [6.6.2011]
DFN Roaming / Eduroam:
Home page of DFN: http://www.dfn.de/dienstleistungen/dfnaai/ [6.6.2011]
Ralf Paffrath, DFN Roaming, DFN Mitteilungen 74/2008, S. 12-14
Remotile, Hydra:
Remotile: http://www.uni-koblenz-landau.de/koblenz/fb4/institute/iwvi/aghampe/projekte/remotile [6.6.2011]
Andreas Rosendahl, Mobile Gebäudesteuerung und ISDN-Konfiguration, Diplomarbeit, Universität Koblenz-
Landau, Fachbereich 4:Informatik, 2005.
Adolphs, C; Hampe, F.: Interaktive Überwachung – mobile Steuerung. In: König-Ries, Lehner, Malaka, Türker:
Mobilität und mobile Informationssysteme. LNI P-104, 2007, pp. 61-72.
Hydra: http://hydramiddleware.eu.com/ (includes 15 scientific papers) [6.6.2011]
© R. Grimm / D. Pähler, Uni Koblenz 35/37
Questions to check your knowledge
• What is Single-Sign-On good for? State the problem and sketch solutions.
• How does Liberty Alliance support Single-Sign-On?
• How does Shibboleth help Web services to gain attestation of a user who is not member of the home environment of the services?
• How does DFN Roaming help WLANs to gain attestation of a user who is not member of the home environment of the WLAN?
• Name possible dangers and the respective countermeasures in Remotile that correspond to each of the seven areas in the reference model.
© R. Grimm / D. Pähler, Uni Koblenz 36/37
06.06.2011
19
Testfragen
• Wozu dient "Single-Sign-On"? Skizzieren Sie das Problem und Lösungen.
• Wie unterstützt Liberty Alliance Single-Sign-On? Nutzen Sie ggf. eine Skizze.
• Wie hilft "Shibboleth" Web Services geprüfte Berechtigungen von fremdenNutzern zu erhalten? Nutzen Sie ggf. eine Skizze.
• Wie hilft "DFN Roaming" WLANs geprüfte Berechtigungen von fremdenNutzern zu erhalten? Nutzen Sie ggf. eine Skizze.
• Nennen Sie zu jedem der sieben Bereiche im Referenzmodell entsprechende Gefahren, die in Remotile auftreten können, sowie mögliche Gegenmaßnahmen.
© R. Grimm / D. Pähler, Uni Koblenz 37/37