MASARYKOVA UNIVERZITA FAKULTA}w¡¢£¤¥¦§¨ INFORMATIKY !"#$%&'()+,-./012345<yA| Realization of the system for access management and identity federation with use of service mojeID and the product DirX Access. DIPLOMA THESIS Jakub Šebök Brno, Autumn 2014 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Jakub Šebök Advisor: RNDr. JUDr. Vladimír Šmíd, CSc. ii Acknowledgement I would like to thank firstly to my technical consultant Filip Höfer for his guidance. Secondly I thank to Mr. Šmíd for his advice about methodology and formal formatting of the thesis. And lastly I would like to thank all who survived by my side and cheered me up espe- cially during last months before the deadline. These are namely my mom, my girlfriend, Anton Gierlti, Matej Chrenko, Buddha and Bill Cosby. Thank you all again for enormous support. iii Abstract The aim of this thesis is implementation of a client program on the side of DirX Access which cooperates with the Czech identity provider mojeID. This cooperation consists of authenticating users by third party authority such that their credentials can be used for further processing in access management mechanism of DirX Access. iv Keywords security, SSO, OpenID, policies, RBAC, identity, mojeID, access man- agement, authentication, authorization v Contents 1 Introduction ............................3 2 Internet Security and Terminology ..............5 2.1 Identity ............................5 2.2 Identity Provider and Relying Party ...........6 2.3 Claims vs. Credentials ...................7 2.4 Identity and Access Management .............7 2.4.1 Discretionary Access Control (DAC).......8 2.4.2 Attribute-Based Access Control (ABAC).....8 2.4.3 Role-Based Access Control (RBAC)........8 2.5 Policies ............................ 10 2.6 Authentication Patterns .................. 13 2.6.1 Single Sign-on (SSO)................ 14 2.6.2 One Time Password (OTP) Authentication... 14 2.7 OpenID 2.0 Protocol .................... 14 2.8 Federation and Federation Endpoint (FEP) ....... 15 3 Systems .............................. 17 3.1 mojeID ............................ 17 3.1.1 OpenID Mechanism................ 18 3.1.2 Yadis......................... 19 3.2 DirX Access ......................... 20 3.2.1 Principle of Working................ 22 3.2.2 Cooperation with Third Parties.......... 24 3.3 Concept of Cooperation .................. 24 4 Integration ............................. 26 4.1 Technologies ......................... 26 4.2 Model ............................. 27 4.3 Questions .......................... 29 4.3.1 Question 2...................... 29 4.3.2 Question 3...................... 29 4.3.3 Question 4...................... 30 4.4 Project Scope ......................... 30 4.4.1 The Client...................... 32 4.4.2 Initial Request Handling.............. 32 4.4.3 Callback Request Handling............ 33 4.4.4 Error Handling................... 34 1 4.4.5 Contexts....................... 35 4.4.6 User Profile..................... 35 4.4.7 Web Application.................. 35 5 Conclusion ............................. 37 5.1 Further Steps ......................... 37 A Program Testing Manual .................... 41 A.1 Deploying Application ................... 41 A.2 Running Application Without Deployment ....... 41 2 1 Introduction Security is a word that shapes today’s image of IT sphere. It is sim- ply because information is the gold of the new era and has some- times higher price than anything materialistic. Protection thus be- came the main issue discussed and considered while designing any new piece of software. Many ways of protecting information were created throughout the years of existence of network communica- tion. They differ from example to another but lot of them follow same principles of Internet communication. Basic principles of security can be derived from the methods used long ago computers. Information delicacy was also concern when messages were sent between emperors or others whose secret was not supposed to be revealed. One can imagine those security mea- sures from the real life experience. Key locks, city walls and gates, guards and many many more were used as forms of keeping unpriv- ileged people away from protected content. So if we look at the prin- ciple behind this methods we will see there is always person trying to pass through the guarding system to the protected resource. In order to achieve this they need at first to prove who they are by possession of the key or by persuading guards, what we call an authentication process. Secondly, as a result of successful authentication, they are granted access to the protected content e.g. entrance to the inner city or to the locked chamber, what we call an authorization. Authentication and authorization are two areas that covers func- tionality of the basic security measures also today. The question of authentication in computer society is handled with respect to the ma- chines and humans acting in message exchange processes. Each com- puting unit has its own production number and MAC address by which it can be recognized among other machines as well as among other Internet-connected appliances. Authorization in the other way is focused on people with an aim to assign privileges to someone rather than to something. If we go back to our example we would be talking about giving permission to person having the key rather than giving them to that particular key. However in reality, anybody having the key can hypothetically open matching key lock, but this is not intended way to think about this example because we also do 3 1. INTRODUCTION not give the key from our house to any stranger. The subject of this thesis stands on mentioned security basics and aims to increase authentication side of product DirX Access with the help of service mojeID enhancing this very area of Internet security. In chapter two we will discuss terminology and describe in details mechanism of relevant security protocols. In chapter three we take a look at both systems that are intended to cooperate. That will emerge in chapter four describing how the integration was done. And finally in chapter five we will come to the conclusion found out from the results of previous chapter. 4 2 Internet Security and Terminology Internet grew over the last four decades and so the amount of web services working at this layer. Almost each service desires to know by whom it is used and terms such as identity, identity provider or service provider became a part of our everyday life. Even if we do not say them or write them. We spoke earlier about distinguishing humans and machines when it comes to authentication. Word iden- tity is in this context vague and can represent both. For cases like this we should specify the frame in which we will lead our words to be clear and understandable. We will start with an elementary defini- tions and follow with more complex ones. 2.1 Identity Specification of a word as such is never easy and that is valid not only for linguists. When word occurs in different contexts it may gain distinct meanings and it is often upon the people who adopt this word to provide an exact characteristics of it so it can be prop- erly set into the context. There have been debates about the content of the identity and how it should be described in technological sense. According to Rannenberg[1] the word identity cannot be conceptual- ized and put into the boxes. Online community refined identity as a set of attributes deterministic for recognition of any subject described by them. Moreover he does not talk strictly about identity. He claims that identity derived from human’s profile and refers to so called "profiling" process defined by M. Hildebrandt: "Profiling is the process of ’discovering’ patterns in data in databases that can be used to identify or represent a human or nonhuman subject (in- dividual or group) and/or the application of profiles (set of correlated data) to individuate and represent an individual subject or to identify a subject as a member of a group (which can be an existing community or a ’discovered’ category)."[2] To sum it up, we will perceive identity in an IT context as a de- terministic set of attributes defining an online entity substituting real person, group, organization or unit having sense to exist by itself. 5 2. INTERNET SECURITY AND TERMINOLOGY 2.2 Identity Provider and Relying Party Identity on Internet serves people as a virtual representation of them- selves. Users can use their identity tokens to identify (authenticate) themselves for services. In the past, common practice for identity providing used by services was to have their own databases con- taining personal information about previously registered users. As a result, users had as many identities as services that they used. This did not only lead to redundancy of information piling up but also to the increased number of credentials necessary for claiming one’s identity. Problems with forgetting user names and passwords became more and more common and IT society needed to think about the solution to this problem. As presumed a solution finding tendency headed to- wards reducing redundancy by centralizing identities on one place. Identity provider is an authority storing identities of others with a right to claim who they are on their behalf[3]. Plenty of identity providers now exist across the internet who gather data about users and give them an easy reusable tool for their governance. Some of them developed from social networks or great companies which already had a bunch of identities stored in their databases and wanted to provide option for their users to use already filled-in credentials to be verified in their brother systems or on other places (e.g. Google and Facebook). Another part was founded just with a business plan targeted on identity providing as an enhanced remote security measure.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages48 Page
-
File Size-