the raven web authentication service jon warbrick university of cambridge computing service...
TRANSCRIPT
The Raven Web Authentication Service
Jon Warbrick University of Cambridge Computing Service
What is it?
● Some software– grandly entitled 'The University of Cambridge
Web Authentication System' (ucam-webauth)
● A centrally-managed authentication server– the real 'Raven'
● What does it give you?– an authenticated identity for a web browser user
● Why authentication, why ANOTHER system?
Why do we need authentication?
● Much of the time we don't and shouldn't– the web succeeded because it was free
● But sometimes we do– to control access
– so we know who we are talking to
– to provide customisation, user privacy, etc.
● AAA - Access control, Authentication, Authorization
IP address-based andDNS name-based
● Only does access control● Too lax
– just who has access to a .cam.ac.uk host?
– open proxies
● Too restrictive– working at home, in another department, etc.
● But in practice it's all we've got...– ... at the moment
Public/private keys and PKI
● Client keys/certificates supported in https:● But https: can be overkill● Transporting keys is tricky:
– Please memorise your new 1024-bit private key:– MIICXQIBAAKBgQDf+LNk7CvEBGM5EgJBhhN7sh0yDZdOqVBlmfL5xHJvn3feRGSy
MLvIWiBxZNkYUUOKDPdr/kj3i+FQ+W4udpUscIj6g6OZHhaH1JgdFrfUHu1Jgb8cuTWzTM2yaWj0zcPS8ca4sHGYVzXrUQR7HHMgJjcaLd9QL0rhsnXHcZF9FwIDAQABAoGAcI7kWUv3ksNBumS6jYN8NyYEVitOZ1Hf/a+o1K1NdZuG+kUU9hhXxxDETTiJghcVAkQR9EwPD5lU2wT/wooF3SZ8fvCQz8aynUepdtfvDxh5576sAFNIifFenT6JO8n7k7E+k/nCczioniPWnxuI4XA0oJs7j8QJnaarHUGvvEECQQD9s+CSyWGkvTodHu/q6+vbDQflvxL0sVWGr+6xkI3XdBj/oKIOapgHjZx/Xl9eJB6lpnYlH5LKW2EWEPWIwOolAkEA4f/m6bQY0o9ut5uDGDnJ/Ivf6xDFzySw5TPZgPN+wKdrf3gQmUWkImwAX7ImDHhxK9O6W7p+SJH3/yGyKOJ/iwJBAJfNf7yU/vYBu7oc/tWEYNXrUCRqVj9PtKsorhxVMGoQr7yVMyKJKXqrg066+zlrR2M63UqNP9oRH2CCuUgglnkCQEc7ENy4FtrGum7EZR1NmYwvyfOc5bvUJK0ZGoS6Okkee5NBlHm6qXDv+W4wCC4GCCV4JlSjAwp8d13CkRSxzuECQQDsuG/4/a2w3rBfxcE43wbSTC6PPWJa7WUcx8jQy6s8lHl+ticOSiYv4YqO0djPgBN8EzV7Axy15VFUO7RLutKs
So that leaves us with passwords
● Passwords are well known but little understood
● Users accumulate user-name/password pairs– which they can't remember
– so they use the same ones in lots of different places
● Administrators have to create, issue, re-issue and revoke accounts
Passwords (cont)
● HTTP 'Basic authentication' ● Form-based authentication
– send unencrypted passwords in clear
– this can be resolved with https:
– but we've already said https: can be overkill
● HTTP 'Digest authentication' resolves many problems, but has others of it's own
A central password server?
● Web server asks user for user-name/password
● Web server sends user-name/password for validation to central server
● If validation succeeds, the web server gives the user the resource they want
● ... and can now impersonate the user on every other web server in the system
... and so to Raven
● It's a ...– ... centrally managed ...
– ... password based ...
– ... authentication service for web applications ...
– ... that doesn't give away users' passwords
● Relies on features of HTTP and common browsers, hence limited to web contexts
How does it work?
Start with a web browser
Browser[br]
User requests a URL
Browser[br]
Web Server[ws]
1
br ws : URL
Web server redirects to auth service
Browser[br]
Web Server[ws]
12
ws br : redirect(authURL+request(URL))
Browser contacts auth service
Browser[br]
Web Server[ws]
Auth Server[as]
123
br as : authURL+request(URL)
Auth service and user interact
Browser[br]
Web Server[ws]
Auth Server[as]
1235 4
Auth service redirects to URL+response
Browser[br]
Web Server[ws]
Auth Server[as]
12356 4
*
as br : set_cookie(id), redirect(URL+response(id))
Browser requests URL+response
Browser[br]
Web Server[ws]
Auth Server[as]
12356 74
*
br ws : URL+response(id)
Web server redirects to original URL
Browser[br]
Web Server[ws]
Auth Server[as]
12356 7 84
* *
ws br : set_cookie(id), redirect(URL)
Browser requests URL (again)
Browser[br]
Web Server[ws]
Auth Server[as]
12356 7 8 94
* *
br ws : URL, cookie(id)
and then...
● Subsequent requests to WS authenticated by the local cookie, until it expires
● Subsequent visits to AS can be partially or completely satisfied by the AS cookie until it expires
● The best way to logout is to quit the browser
So what does all this look like?
Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document1.html
Enter user-id and password and click 'Submit' to get:
Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document2.html
Request http://raven.cam.ac.uk/project/testfiles/document1.html
Enter user-id and password and click 'Submit' to get:
Timeout: return to our first document later:
Click 'Continue' to get:
Request http://mnementh.csi.cam.ac.uk/raven-test/private/document1.html
Click 'Continue' and get:
Click 'Cancel' anywhere and get:
Choose 'override login options':
... and get
Account management:
Account management:
Account management:
What doesn't it do?
● Authorization● People without CRSids● POST requests (properly, yet)● Central logout● Anything that isn't web-based● Security
How do you use it?
● Protocol specification http://raven.cam.ac.uk/project/waa2wls-protocol.txt
● Pseudo-code Application Agenthttp://raven.cam.ac.uk/project/algorithm.txt
● ... but that's the hard way
Apache
● mod_ucam_webauth (for Apache 1.3 and 2)● LoadModule ucam_webauth_module \ modules/mod_ucam_webauth.soAACookieKey afef845ce49666ab04b36976a<Directory "/cam-only"> Order allow,deny Allow from .cam.ac.uk AuthType WebAuth Require valid-user Satisfy any AADescription 'Cam-only area'</DirectoryMatch>
Apache (cont)
● Also supports– Require user jw35, rjd4– Require group cs-staff– Satisfy any
● Sets REMOTE_USER environment variable (just like basic auth) and others
● Should be able to use group files, DBM files, databases, ...
Perl CGI script
● #!/usr/bin/perl -w
use Ucam::WebAuth::CGIAA;
my $aa = Ucam::WebAuth::CGIAA->new (cookie_key=>'eb78ba43b0222f28498');
my ($complete, $headers) = $aa->authenticate;print $headers if $headers;exit unless $complete;
my $userid = $aa->principal if $aa->success;
... and more
● A beta release of a PHP module – needs work – any volunteers?
● A JAAS implementation for Java servlet containers (e.g. Tomcat) by CARET
● A Ruby implementation by Thomas Counsell of Clare College
● Anyone for IIS ?
The project plan
● Now– Available on request for testing and pilot
deployments
● Late June (perhaps July...)– Passwords available to everyone
– Available to all cam.ac.uk web servers
● 1 September 2004– Supported service
Where do you go from here?
● Pilots● Deployment from June● Consider expanding 'ucam-only’ access● http://www.cam.ac.uk/cs/raven/● [email protected]
If you have been, thanks for listening
I expect you have some questions