CS 497 Project: Auth-SL - A System for the Specification and Enforcement of Quality-based Authentication Policies Alexei Czeskis Department of Computer Science, Purdue University
[email protected]
Abstract Many application environments require different authentication strengths depending on the resources that subjects need to access. To date no high level policy language exists allowing one to state the authentication requirements. Our research developed such a language and a reference architecture supporting the management of authentication policies expressed in this language and their enforcement. The proposed language directly support multi-factor authentication and supports the high level specification of authentication factors, in terms of conditions against the features of the various authentication mechanisms and modules. In addition the language supports a rich set of constraints; by using these constraints, one can specify for example that a subject must be authenticated by two credentials issued by different authorities. We have submitted the results of our research in a paper titled Auth-SL - A System for the Specification and Enforcement of Quality-based Authentication Policies to the IEEE Symposium on Security and Privacy. The paper reports a logical definition of the language and its corresponding XML encoding. In addition, the paper reports an implementation of the proposed authentication system in the context of the FreeBSD Unix operating system. Critical issues in the implementation are also discussed and performance results are reported. These results show that the implementation is very efficient.
1
Overview of Research
Authentication is a fundamental security mechanism by using which systems may verify identity claims of their users. It determines who the user is and if his/her claim of a particular identity is true; authenticated identities are then the basis for applying other security mechanisms, such as access control. Loosely speaking, a user can be authenticated on the basis of something he holds, he is, or he knows1 . Various mechanisms are currently available to implement each such approach. Something you know is typically implemented through mechanisms such as password, or challenge-response protocols. The something you hold approach is implemented through token-based mechanisms, smartcards, or a PIN that the user possesses and must present in order to be authenticated. Finally, the who you are paradigm is based on biometrics and includes techniques such as fingerprint scans, retina scans, voiceprint analysis, and others Once the identity of a user has been verified, the system resources are made available to the user, possibly under the constraints specified by the access control policies. Such an approach may be appropriate for low-security environments but can lead to session hijacking.2 Session hijacking 1 Other options are also possible, like what the user does or where he is. We leave them out of the discussion as they are less significant. 2 Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. The session ID, which uniquely identifies a session between the client browser and remote host, maintains the state information about the user’s preferences and authorization level. Post-authenticated session is one where a a legitimate user has provided the required tokens to authenticate and the session is still in progress.
1
involves an attacker using a captured, brute forced or reverse-engineered session ID to seize control of such a session. In high risk environments or in environments in which the cost of unauthorized use of the protected resources is high, continuous verification of identity, if efficiently implemented, can be instrumental in reducing this window of vulnerability. There might be resources access to which requires strong assurance on the identity of the users. The same system may have resources with different requirements concerning authentication strengths for the users wishing to access them. A straightforward solution to authentication for resources with such heterogeneous requirements is based on a conservative approach that maximizes authentication checks each time a user connects to the system. However, such a solution may result in computational consuming authentication tasks and may also be very expensive and complex to deploy. For example, adopting one-time passwords [4, 1] for all users of an organization, independently from the tasks they have to perform and the resources they have to access, may be very expensive; ideally one would like to require such type of authentication only for users who need to access sensitive resources and use conventional passwords for the other users. Additionally, such an approach does not avoid the risk of session hijacking. We believe that authentication should be based on variety of mechanisms targeted to the resource security requirements and be easily configurable. Identity of users should always be known and certain during the whole duration of a user session within the system, especially as the user browses multiple resources. Continuous verification has been proposed to tackle issues related with fake authentication from attackers. Most approaches to continuous authentication are based on biometric techniques, like keyboard typing recognition or face recognition through trusted cameras [3]. However these approaches require costly machinery and tools and in addition are based on the assumption that the one method of authentication is to be accepted by every possible resource the user connects to. We believe that we need more articulated solutions based on the use of multiple authentication mechanisms combined through authentication policies and on the association of authentication requirements with the protected resources. Example 1 Consider a chemical factory and employee Alice. Alice as accountant of the project department can use a standard password based authentication approach when accessing files collecting data about projects. Her claimed identity needs however to be cleared again using higher assurance authentication mechanism like biometrics, when she attempts access to a file storing code keys for accessing machinery, since only selected employees can actually manage potentially dangerous machines. In the submitted paper paper we developed an articulated framework for authentication based on an expressive authentication policy language. By using such language, one can specify how many authentication factors are required, and of which type, for accessing specified resources, or impose constraints on the authorities by which credentials used for authentication have to be provided, thus providing a quality-based authentication. It is important to notice that the SAML (Security Assertion Markup Language) standard [5] supports the encoding of authentication statements for exchange among sites in a distributed system. The goals of our authentication policy language are different from the goals of SAML. SAML is a standard for encoding authentication statements; such a statement typically asserts that a given subject has been authenticated under a certain modality by a given entity at a given time. SAML thus does not deal with taking authentication decisions; it only deals with encoding and transmitting such decisions. The goal of our language is exactly to specify policies driving authentication decisions; as such policies expressed in our language may also take into account previous authentication decisions, taken for example by other sites in a distributed system, together with other information in order to reach an authentication decision. We notice that, of course, once an authentication decision has been taken, based on the policies expressed in our language, a SAML assertion, recording such decision, may be generated for use in a distributed system. In what follows we refer to our framework as authentication service to emphasize that our goal is to develop a com2
prehensive set of functions for specifying, managing, enforcing, and inspecting authentication policies that can be used by parties and applications in a system. More in details the contributions our work are as follows: (1) The development of reference architecture for an authentication service. (2) The specification of a language to express authentication policies and its XML specification; some features of this language include the specification of the number of authentication factors required for accessing a resource, the qualification of the authentication factors in terms of a large variety of conditions, the specification of the order according to which the factors have to be verified. (3) An implementation of the proposed authentication services and the policy language in the context of the FreeBSD Unix operating system; in this implementation, authentication policies are associated with system resources, in addition to being used when the user initially connects to the system, and therefore we support the notion of continuous authentication. Notice that our current implementation is in the context of an operating system in that we want a proof of concept that the notion of authentication service and authentication policies could actually be supported in a real system. We plan to extend this work to the case of distributed systems and in particular to federated digital identity management systems [2]. In this case, authentication of a user at a service provider in a federation could take into account authentication steps performed by the same user at other service providers in the federation; we believe that current single-sign-on techniques could be supported as a special case of our authentication services.
2
A personal Reflection
This research experience was not only interesting on an academic level, but was also useful in helping me decide to pursue graduate study and an academic career. My main contributions to the work are as follows: (1) I designed the framework for the implementation of our system in FreeBSD, (2) I led the development of the framework into a testable proof of concept, (3) I helped to design the general framework of our system that can be adapted to a distributed system, (4) I helped to plan the design of the authentication language, (5) I wrote a significant part of the paper which we submitted for publication. From this research experience, I learned the basics of access control, specifically concerning the aspect of authentication. Precisely, I received significant exposure to multi-factor authentication methods, including various biometric techniques. I also attained significant amounts of knowledge concerning the design and structure of operating systems. Specifically, I investigated and modified the process control structure of threads. Moreover, I also explored various aspects of the UFS2 file system. This research experience exposed me to intriguing aspects of authentication as well as operating system security. The work opens the door for further research into the authentication language, improvement of the FreeBSD implementation, and extension into a federated environment.
References [1] ActivIdentity. http://www.actividentity.com/en/products/4 3 3 tokens.php. [2] Identity-Management. Liberty alliance project. http://www.projectliberty.org. [3] A. Klosterman and G. Ganger. Secure continuous biometric-enhanced authentication, 2000. [4] RSA SecureId. http://www.rsasecurity.com/node.asp?id=1156. [5] SAML v1.0 Specification Set, 2002. http://www.oasis-open.org/committees/security/#documents.
3
