Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Chapter 17: WEB COMPONENTS

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Grid Security. Typical Grid Scenario Users Resources.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

APACHE SERVER By Innovationframes.com »

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

CSCI 6962: Server-side Design and Programming

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Chapter 10: Authentication Guide to Computer Network Security.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Session 11: Security with ASP.NET

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Secure Socket Layer (SSL)

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

Chapter 21 Distributed System Security Copyright © 2008.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Web Authentication at Iowa Ed Hill Software Developer The University of Iowa.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

Module 11: Securing a Microsoft ASP.NET Web Application.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Cloud Computing Computer Science Innovations, LLC.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.

Lemon security. Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

COOKIES AND SESSIONS.

F5 APM & Security Assertion Markup Language ‘sam-el’

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

1 Example security systems n Kerberos n Secure shell.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

ArcGIS for Server Security: Advanced

NodeJS Security Using PassportJS and HelmetJS:

World Wide Web policy.

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Your friend, Bluestem

What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted with handling user passwords) to provide reliable client identification for applications running on other authorized SSL HTTP servers within the domain. Bluestem provides client identification only. Decisions about whether an identified client is authorized to access a given application or resource are the responsibility of the applications.”

History Bluestem was written in 1996 by CCSO (now CITES) Began with the sole goal of providing secure access to Kerberos authentication for HTTP servers on the Urbana campus

History Kerberos specific code was very small. The idea of bluestem can extend to any number of authentication methods. (TACACS, NTLM, system password files, etc.) Bluestem did not have to be limited a single domain. Part of the system allows you to use a single id across domains. (uic.edu, uis.edu, uiuc.edu)

What is a Bluestem ID? When you type your id: You are really typing:

Bluestem Components Clients  You are a client. Application Servers  Authorized (SSL enabled) servers  Provide a service that requires authentication. (like CITES webstore) ID Servers*  High-security servers  Actually perform authentication of clients.  Communicates successful authentication to application servers *(ego and superego servers not implemented)

How everything works…. 1. Client requests page from Bluestem enabled site. 2. Application server checks for client’s Bluestem cookie, and sets it when it doesn’t exist. 3. Application server redirects the client to an ID Server ID server asks for netid/password, send authentication information to the app. server, and then redirects the client back to the original page. 4.

How everything works (without pictures) Application Server Master Key  256 bit secret  Used to sign messages between the application server and ID server  Can be created as often as you like / lasts as long as you like ClientRandom  64 bit secret  Created by the application server for each new session.  Protects from imposter attacks. (client to app. Server)

How everything works (without pictures) Setting the cookie:  Generate a unique CacheID and a 64 bit ClientRandom secret.  Omit the expires keyword so that the cookie remains in memory.  Omit the domain keyword, so the client will provide the cookie only to the application server that created it.  Include the secure keyword, so the cookie will not be provided to a non-SSL HTTP server.  Save the client's IP address and ClientRandom secret in the application server cache indexed by CacheID.

How everything works (without pictures) ID server-side:  Authenticate the user.  For optional ‘prior authentication’, store the client's ID, IP address, and ClientRandom secret in a special persistent cache directory.  Pass the following to the application server via an SSL- protected digitally signed XML-RPC request: CacheID Bluestem ID client IP address (for logging purposes, not authentication) current ID server cluster configuration (icluster.conf)

How everything works (without pictures) The application server then:  Verifies the XML-RPC request digital signature and content.  Inserts the Bluestem ID in the appropriate cachefile.  Updates its copy of the ID server cluster configuration file if it has changed.  Verifies the redirected client based on the ClientRandom stored in its cache.

Security Concerns Dumb clients… Spoofed pages Attacking ID servers  ID servers are housed in a locked, limited access, 24-hour-attended machine room.  Signons on the servers are limited to a small number of trusted long-time employees on a need-to-have basis. And logins are permitted from only a small set of trusted hosts.  ASAP Policy for Security Patches  TCP wrappers and real-time off-machine replication of system logs. Breaking SSL  “If a finesse attack on SSL turns up, chances are it'll be somewhere else, not here. And you'll learn about it in the New York Times, not your system logs. “ ClientRandom provides the only security mechanism to app servers. XSS flaws (some detected and fixed in Sept. 2004/2005)

Demo Time?