Securing Document Access with SAML and Digital Certificates

1
Securing DocumentAccess with SAMLand Digital
Certificates

• Andrew Jaquith
• Program Director
• October 9, 2002

2
Agenda

• Introduction
• Business Problem
• Security Strategy
• Two Key Technology Decisions
• Walkthrough Encryption and Decryption
• Lessons Learned
• Questions and Answers

3
Objectives

• Show how identity management works in a modern
  web application, Exostar ForumPass 2.0
• Describe the technology selection process
• Signed Assertion Markup Language (SAML)
• Digital certificates
• Describe the solution architecture
• And as you might expect share some war stories

Note ForumPass 2.0 recently receivedForbes
Best of the Web award for 2002.
4
Speaker Qualifications Andrew Jaquith

• Program Director, _at_stake
• Managing consultant since firms inception in
  fall 1999
• Works with clients in software, financial
  services, and supply chain sectors
• Technical Leader, _at_stake Risk Analytics Center of
  Excellence
• Research featured in CIO, ComputerWorld,
  Information Week
• Previous experience
• Senior Project Manager, Cambridge Technology
  Partners
• Project Manager/Senior Project Manager, FedEx
  Logistics (Caliber)

5
_at_stake provides digital securityservices to
help organizations

• Secure critical infrastructure
• Enable digital relationships

ASSESS STRATEGIZE
IMPLEMENT VERIFY
DESIGN ARCHITECT
OPERATE MAINTAIN
6
About _at_stake

• _at_stake advises clients on the technology, people,
  and process aspects of digital security
• Strategy, assessment implementation services
  include
• Application Security
• Incident Readiness and Response
• Attack Simulation
• Wireless Security
• Clients include
• 4 of the worlds top 10 financial institutions
• 7 of the worlds top 10 wireless mobile carriers
• 3 of the worlds top 10 independent software
  companies

7
Background (1)

• Exostar LLC founded in 2000 to streamline
  aerospace and defense supply chain
• Jointly funded by 5 of biggest AD firms
• Boeing, Raytheon, Lockheed Martin, BAE Systems,
  Rolls-Royce
• Two-tier club model Founding Partners sponsor
  suppliers customers
• Initial offerings included e-procurement,
  auctions, and catalog management
• In 2000, Exostar rolled out ForumPass
  (e-collaboration)
• Out-of-the box install of PTC ProjectLink, a
  leading PDM solution
• Includes document sharing, project management,
  CAD integration

8
Background (2)

• Founding partners demanded better security for
  their intellectual property
• Competitive reasons
• ITAR compliance
• In Q1 2002, ForumPass 2.0 planning began
• Major security enhancements, plus PTC version
  upgrade
• Exostar brought in _at_stake as its security partner
• Program management
• Vendor management
• Technical design and integration leadership

9
Business Problem

• Problem statement
• Ensure positive verification of identities of
  participants when on line
• Provide easy access by participants to their
  entitled information
• Keep documents safe from unauthorized access
  from the wiliest haX0rs, and even from Exostar
  (the rogue admin)
• Intangibles/biases
• Standards-based approach
• COTS integration, not a re-write
• Strong consensus-based approach
• Security should be no-load and inescapable

10
Technical and Legal Questions

• Legal
• Who bears liability for illegitimate use of
  authority by a legitimate party invited by one of
  the Founding Partners?Exostar, or the Founding
  Partner?
• Corollary what if an invited company is
  sponsored by two Founding Partners? Who loses?
• What responsibility does Exostar bear as the
  certifier of identities?
• Technical
• How should data be handled and stored so that
  data doesn't leak?
• How would we know when illegitimate access
  occurs?
• How to secure the extranet so that it is safer
  than an intranet?

11
Security Architecture

• Encryption/decryption of all documents at the
  browser
• Multiple security domains external parties
  manage encryption keys
• NSA-certified secure hosting facility
• Customized audit module for tracking document
  access
• Hardware storage of keys
• Zoned firewall architecture
• Public gt application gt database tier

12
Key Decision 1 Federated Identity Model

• Exostar set up a digital certificate authority
  (CA)
• Digital certificates uniquely identify each user
• The issuer is Exostar LLC, however
• The subjects (members) are generally not Exostar
  employees
• Different liability model than with most CAs
• Exostar designed to accept certificates issued by
  Founding Partners (in the future)
• Policy and process issue PKI Management
  Authority created
• Member identities stored in LDAP used by
  ForumPass application

13
Key Decision 2 SAML for document entitlements

• Since access to keys managed by external entity,
  how does the key server know the requester is
  entitled to have the decryption key?

14
Technology Platform
15
User Authentication Process
1. User browses to https//fp2.exostar.com/forumpa
ss
2. Netegrity Web Agent intercepts request Policy
Server evaluates against policy
3. Web Agent instructed to challenge user for a
valid certificate user presents certificate
4. If certificate is recognized by Policy server,
user challenged for email address password
5. Policy Server verifies email address match
with one on certificate, and that user is in LDAP
6. If all conditions are true, a session cookie
is issued and user is granted access
16
Sample SAML Assertion
I assert that Jeff Nigriny is authorized to
decrypt document foo.doc but only between 530
and 600 PM today and heres my signature that
proves its really me making the assertion.
ltAssertiongt ltConditions NotBefore"1730
09-OCT-2002" NotOnOrAfter"1800
09-OCT-2002"/gt ltAuthorizationDecisionStatement
Resource"foo.doc" Decision"Permit"gt
ltSubjectgt ltNameIdentifiergt Jeff
Nigriny lt/NameIdentifiergt lt/Subjectgt
ltActiongtDecryptlt/Actiongt lt/AuthorizationDecisio
nStatementgt ltSignaturegt 5E8C811270A26F615D1F
6BFF899BAB46898CF546 ltSignaturegt lt/Assertiongt
17
Document Encryption Process
1. User acts to create/update/check in/attach a
document. Dialog with encryption applet opens.
2. User selects file applet encrypts document
with a newly-generated symmetric key
3. Applet obtains Key Servers public key, then
encrypts the symmetric key with it. (This
means that the key that encrypted the document
can only be recreated by the Key Server.)
4. Applet causes browser to upload encrypted
document and encrypted key to server.
5. Document stored as a normal (albeit
encrypted) object in the ForumPass document
object database.
18
Document Decryption Process
1. User acts open or download a document.
Decryption page with applet opens.
2. Applet downloads encrypted document, encrypted
key, and SAML assertion.
3. Applet connects to key server identified in
SAML assertion user authenticates with digital
certificate. Applet passes both the SAML
assertion and the encrypted key.
4. Key validates SAML assertion (validity period,
signature integrity, etc.). Key server also
compares the user named in the assertion with
the one submitting the request (from SSL
session). They must match.
5. If valid, key server passes back decrypted
key, with which the applet decrypts the document.
19
Lessons Learned (1)

• Business heads should fund security as part of
  the app
• At Exostar, application and security budgets
  indistinguishable
• SAML was just what the doctor ordered
• Simple, elegant, bulletproof authorization model
• Sometimes being ahead of the curve pays off
• Old habits such as passwords die hard
• Digital certificates easier for users harder for
  IT staff to accept
• COTS integration like a Rubiks Cube puzzle
• 45-50 distinct technologies in the complete
  solution

20
Lessons Learned (2)

• PKI best as point-purpose tool, not as religious
  canon
• Simple use case authentication-only
• Utility model outsourced provisioning and
  management
• No S/MIME or non-repudiation red herrings
• Exostar's federated identity model different from
  normal CA
• Plan extra time to resolve identity liability
  issues
• Extranet liability risk has always been there,
  but PKI makes it explicit
• Java terrific for cross-platform browser
  solutions,but has some identity management holes
• Hello Sun why cant we use browser keystores
  with Java SSL (JSSE)?

21
In Closing

• Exostar is an early example of federated identity
  put into practice in a B2B environment
• SAML provides a simple, elegant solution for
  enforcing access entitlements
• Security should enhance users sense of security,
  but not get in their way
• Jump in, the waters fine!

22
Questions?
23
Contact Information

• _at_stake, Inc.
• Andrew Jaquith, ajaquith_at_atstake.com
• Exostar LLC
• Greg Maxwell, E-Collaboration Program Director,
  greg.maxwell_at_exostar.com
• Jeff Nigriny, Security Director,
  jeff.nigriny_at_exostar.com
• Evincible
• Vijay Takanti, CEO, vtakanti_at_evincible.com

24
References and Further Reading

• Frederick J. Hirsch, Getting Started with XML
  Security. Good technical primer on SAML and XML
  security. http//home.earthlink.net/fjhirsch/xml/
  xmlsec/starting-xml-security.html
• Andrew Jaquith, The Security of Applications
  Not All Are Created Equal. Empirical analysis of
  why applications designed with security in mind
  are more secure. http//www.atstake.com/research/r
  eports/acrobat/atstake_app_unequal.pdf
• Dr. Stephen Kent, Chief Scientist, Genuity, How
  Many CAs are Enough? Introduces the Mao Zedong
  CA model ("let 10,000 flowers bloom").
  http//www-itg.lbl.gov/security/WorkshopIII/DOE_CA
  _models.pdf
• IBM XML Security Suite. Java-based XML Digital
  Signatures and XML Encryption. http//www.alphawor
  ks.ibm.com/tech/xmlsecuritysuite