Presentation on theme: "The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service"— Presentation transcript:
The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service
What is it? ● Some software – grandly entitled 'The University of Cambridge Web Authentication System' (ucam-webauth) ● A centrally-managed authentication server – the real 'Raven' ● What does it give you? – an authenticated identity for a web browser user ● Why authentication, why ANOTHER system?
Why do we need authentication? ● Much of the time we don't and shouldn't – the web succeeded because it was free ● But sometimes we do – to control access – so we know who we are talking to – to provide customisation, user privacy, etc. ● AAA - Access control, Authentication, Authorization
IP address-based and DNS name-based ● Only does access control ● Too lax – just who has access to a.cam.ac.uk host? – open proxies ● Too restrictive – working at home, in another department, etc. ● But in practice it's all we've got... –... at the moment
Public/private keys and PKI ● Client keys/certificates supported in https: ● But https: can be overkill ● Transporting keys is tricky: – Please memorise your new 1024-bit private key: – MIICXQIBAAKBgQDf+LNk7CvEBGM5EgJBhhN7sh0yDZdOqVBlmfL5xHJvn3feRGSy MLvIWiBxZNkYUUOKDPdr/kj3i+FQ+W4udpUscIj6g6OZHhaH1JgdFrfUHu1Jgb8c uTWzTM2yaWj0zcPS8ca4sHGYVzXrUQR7HHMgJjcaLd9QL0rhsnXHcZF9FwIDAQAB AoGAcI7kWUv3ksNBumS6jYN8NyYEVitOZ1Hf/a+o1K1NdZuG+kUU9hhXxxDETTiJ ghcVAkQR9EwPD5lU2wT/wooF3SZ8fvCQz8aynUepdtfvDxh5576sAFNIifFenT6J O8n7k7E+k/nCczioniPWnxuI4XA0oJs7j8QJnaarHUGvvEECQQD9s+CSyWGkvTod Hu/q6+vbDQflvxL0sVWGr+6xkI3XdBj/oKIOapgHjZx/Xl9eJB6lpnYlH5LKW2EW EPWIwOolAkEA4f/m6bQY0o9ut5uDGDnJ/Ivf6xDFzySw5TPZgPN+wKdrf3gQmUWk ImwAX7ImDHhxK9O6W7p+SJH3/yGyKOJ/iwJBAJfNf7yU/vYBu7oc/tWEYNXrUCRq Vj9PtKsorhxVMGoQr7yVMyKJKXqrg066+zlrR2M63UqNP9oRH2CCuUgglnkCQEc7 ENy4FtrGum7EZR1NmYwvyfOc5bvUJK0ZGoS6Okkee5NBlHm6qXDv+W4wCC4GCCV4 JlSjAwp8d13CkRSxzuECQQDsuG/4/a2w3rBfxcE43wbSTC6PPWJa7WUcx8jQy6s8 lHl+ticOSiYv4YqO0djPgBN8EzV7Axy15VFUO7RLutKs
So that leaves us with passwords ● Passwords are well known but little understood ● Users accumulate user-name/password pairs – which they can't remember – so they use the same ones in lots of different places ● Administrators have to create, issue, re-issue and revoke accounts
Passwords (cont) ● HTTP 'Basic authentication' ● Form-based authentication – send unencrypted passwords in clear – this can be resolved with https: – but we've already said https: can be overkill ● HTTP 'Digest authentication' resolves many problems, but has others of it's own
A central password server? ● Web server asks user for user- name/password ● Web server sends user-name/password for validation to central server ● If validation succeeds, the web server gives the user the resource they want ●... and can now impersonate the user on every other web server in the system
... and so to Raven ● It's a... –... centrally managed... –... password based... –... authentication service for web applications... –... that doesn't give away users' passwords ● Relies on features of HTTP and common browsers, hence limited to web contexts
How does it work?
Start with a web browser Browser [br]
User requests a URL Browser [br] Web Server [ws] 1 br ws : URL
Web server redirects to auth service Browser [br] Web Server [ws] 12 ws br : redirect(authURL+request(URL))
Browser contacts auth service Browser [br] Web Server [ws] Auth Server [as] 123 br as : authURL+request(URL)
Auth service and user interact Browser [br] Web Server [ws] Auth Server [as] 12354
Auth service redirects to URL+response Browser [br] Web Server [ws] Auth Server [as] * as br : set_cookie(id), redirect(URL+response(id))
Browser requests URL+response Browser [br] Web Server [ws] Auth Server [as] * br ws : URL+response(id)
Web server redirects to original URL Browser [br] Web Server [ws] Auth Server [as] * * ws br : set_cookie(id), redirect(URL)
Browser requests URL (again) Browser [br] Web Server [ws] Auth Server [as] * * br ws : URL, cookie(id)
and then... ● Subsequent requests to WS authenticated by the local cookie, until it expires ● Subsequent visits to AS can be partially or completely satisfied by the AS cookie until it expires ● The best way to logout is to quit the browser
So what does all this look like?
Enter user-id and password and click 'Submit' to get:
Enter user-id and password and click 'Submit' to get:
Timeout: return to our first document later:
Click 'Continue' to get:
Click 'Continue' and get:
Click 'Cancel' anywhere and get:
Choose 'override login options':
... and get
What doesn't it do? ● Authorization ● People without CRSids ● POST requests (properly, yet) ● Central logout ● Anything that isn't web-based ● Security
How do you use it? ● Protocol specification ● Pseudo-code Application Agent ●... but that's the hard way
Apache ● mod_ucam_webauth (for Apache 1.3 and 2) ● LoadModule ucam_webauth_module \ modules/mod_ucam_webauth.so AACookieKey afef845ce49666ab04b36976a Order allow,deny Allow from.cam.ac.uk AuthType WebAuth Require valid-user Satisfy any AADescription 'Cam-only area'
Apache (cont) ● Also supports – Require user jw35, rjd4 – Require group cs-staff – Satisfy any ● Sets REMOTE_USER environment variable (just like basic auth) and others ● Should be able to use group files, DBM files, databases,...
Perl CGI script ● #!/usr/bin/perl -w use Ucam::WebAuth::CGIAA; my $aa = Ucam::WebAuth::CGIAA->new (cookie_key=>'eb78ba43b0222f28498'); my ($complete, $headers) = $aa->authenticate; print $headers if $headers; exit unless $complete; my $userid = $aa->principal if $aa->success;
... and more ● A beta release of a PHP module – needs work – any volunteers? ● A JAAS implementation for Java servlet containers (e.g. Tomcat) by CARET ● A Ruby implementation by Thomas Counsell of Clare College ● Anyone for IIS ?
The project plan ● Now – Available on request for testing and pilot deployments ● Late June (perhaps July...) – Passwords available to everyone – Available to all cam.ac.uk web servers ● 1 September 2004 – Supported service
Where do you go from here? ● Pilots ● Deployment from June ● Consider expanding 'ucam-only’ access ● ●
If you have been, thanks for listening I expect you have some questions