New rev of Strict Transport Security (STS) Specification
Wednesday, December 23rd, 2009Details are over here..
=JeffH sez check it out 
Archive for the ‘Security’ Category
OAuth Protocol Flow Diagrams
Wednesday, October 22nd, 2008I found the existing protocol flow diagram in the current OAuth spec..
OAuth Core 1.0
http://oauth.net/core/1.0/
..somewhat hard to follow. So I concocted three separate new ones using the so-called “swimlane” technique that I’m used to.
I posted these to the OAuth list a while back, and a few folks reposted them to their blogs, but no one has yet piped up to say I got anything wrong. But YMMV, there might be bugs in here.
FWIW, I’ve posted them below in case others find them useful. Also, I have them in a single file..
http://identitymeme.org/doc/draft-hodges-oauth-05-figures.txt
..also featuring OpenID and SAML Web Browser SSO Profile diagrams for comparison purposes. Note that in all things protocol, definitions of terms are essential in order to be able to effectively communicate and reason about protocols, so I’ve included key definitions from the OAuth spec in the file.
NOTE: fixed-pitch font required for viewing. Also, wordpress is obviously messing up the diagrams below, and they consequently look sorta lame, here on the blog. This site presently uses an old wordpress install, maybe this will help motivate me to upgrade it. In the meantime, check out the file linked-to above for the best viewing experience 
Fig 1: out-of-band consumer setup/config
photos.example.net
+----------+
| |
| OAuth |
| service |
printer.example.com | provider |
+---------+ | |
|developer| | Sys |
| of | | Admin |
| OAuth | | |
|consumer | | |
| | | [SP] |
+----+----+ +----+-----+
| |
| obtain Consumer Key |
| and Consumer Secret |
| [details unspec'd, |
| performed out-of- |
| band.] |
|--------------------->|
|< ---------------------|
| |
| |
Fig 2: “Web-based consumer”
The "consumer" is a website or other application that accesses
the Service Provider on behalf of the wielder (user) of the user agent
(UA is typically a browser, but could be some other app).
Steps 1.n. "Obtain Unauthorized Request Token"
2.n. "User Authorizes Request Token"
3.n. "Exchange Request Token for Access token"
4.n. UA accessing protected resources at SP
photos.example.net
+----------+
| |
| OAuth |
printer.example.com | Service |
+--------+ | Provider |
| | | |
| OAuth | |[protected|
|Consumer| |resources]|
+----+ | | | |
| UA | | [RP] | | [SP] |
+-+--+ +---+----+ +----+-----+
| | |
| 1.0. User Agent inter-| |
| acts with Consumer | |
| site [optional] | |
|< --------------------->| |
| | |
| | |
| | |
| 1.1. UA informs/directs |
| Consumer to do something |
| with a resource (e.g. | |
| a photo) at SP | |
|---------------------->| |
| | |
| | |
| | |
| | 1.2. Consumer attempts
| | accessing photo at SP|
| |--------------------->|
| | |
| | |
| | 1.3. SP replies with |
| | a HTTP 401 containing|
| | a "OAuth" www-authn |
| | header field |
| |< ---------------------|
| | |
| | |
| | 1.4. Consumer replies|
| | with a request for |
| | "unauthorized Request|
| | Token" (uRT) via POST|
| | to SP's "request token
| | URL" |
| |--------------------->|
| | |
| | |
| | 1.5. SP issues uRT & |
| | token secret to |
| | Consumer. |
| |< ---------------------|
| | |
| | |
| | |
| 2.0. Consumer redirects |
| UA to SP "User Author-| |
| ization URL" including| |
| the uRT. | |
+<- - - - - - - - - - - - | |
. | (indirected via UA) | |
. | | |
+-------------------------+--------------------->|
| | |
| | |
| | |
| | |
| 2.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|< ============================================>|
| 2.3. User grants or declines permission |
| for the Service Provider allow Consumer |
| access to the resource (e.g. photo). |
| | |
| | |
| | |
| | |
| 2.4. If permision granted, UA redirected back|
| to Consumer's "Callback URL", conveying the |
| uRT. | |
+< - - - - - - - - - - - - - - - - - - - - - - - -|
. | (indirected via UA) | |
. | | |
. | | |
+------------------------>| |
| | |
| | |
| |3.0. Consumer requests|
| |Access token, supplies|
| |uRT. |
| |--------------------->|
| | |
| | |
| | |
| |3.1. SP grants Access |
| | Token. |
| |< ---------------------|
| | |
| | |
| |4.x. Consumer uses the|
| |Access Token, Access |
| |Token Secret, Consumer|
| |Key, and Consumer Secret
| |to make authenticated |
| |request(s) to the Service
| |Provider. |
| |=====================>|
| | . |
| | . |
| | . |
| | |
Fig 3: “desktop-based consumer”
this is case where user is wielding some app that is both a UA and a Consumer.
+----------+
| |
| OAuth |
| service |
+--------+ | provider |
| | | |
|Desktop-| |[protected|
|based | |resources]|
|Consumer| | |
| | | |
| UA | | [SP] |
+-+------+ +----+-----+
| |
| 1. Consumer requests "unauthorized Request |
| Token (uRT)" with POST to SP's "request token"
| URL. |
|--------------------------------------------->|
| |
| |
| 1.1. SP issues uRT and Token Secret to |
| consumer. |
|< ---------------------------------------------|
| |
| |
| |
| 1.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|<============================================>|
| 3. User grants or declines permission |
| for the Service Provider to issue Access |
| Token. |
| |
| |
| |
| |
| 4. Service Provider authorizes the uRT to be |
| exchanged for an Access Token and secret. |
|< ---------------------------------------------|
| |
| |
| |
| 5. Consumer exchanges the uRT and secret |
| for an Access Token and Secret. |
|--------------------------------------------->|
|< ---------------------------------------------|
| |
| |
| |
| 6. Consumer uses the Access Token, Access |
| Secret, Consumer Key, and Consumer Secret |
| to make authenticated request(s) to the Service
| Provider |
|<============================================>|
| . |
| . |
| . |
| . |
| . |
| . |
| |
Will “open internet” IDM Migrate Towards “trust circles” ?
Monday, January 21st, 2008Eve (aka xmlgrrl) posted the following bit of musing today..
Circles of trust: disaster? or really bad idea?
http://www.xmlgrrl.com/blog/archives/2008/01/21/circles-of-trust-disaster-or-really-bad-idea/
..which I tend to think hits the proverbial nail pretty squarely on the head wrt “open internet”, “trust all comers”, and “trust circles”.
One very small, detail-level comment I have on her post is that where she writes..
(where users are okay with this sort of back-channel communication)
..I would instead make it explicitly clear that “users” sometimes don’t have any direct say with respect to the machinations of the IT department on their behalf. Hence I would write it as..
(where users are okay with this sort of back-channel communication, or where they don’t have any say (e.g. in an enterprise deployment))
Note I don’t feel that the latter is necessarily a good thing, but it’s reality in corporate, governmental, and education worlds (at least), and no amount of attesting that “I want to own my identity data!” is going to change it any time soon (admittedly unfortunately). Besides one’s identity, outside of one’s own thoughts, “..is a story“, as Bob Blakley noted a while back, but has been understood for quite a while by social scientists and philosophers (see, for example, Erving Goffman).
But I digress…
New version of OpenID SAML comparison document
Monday, January 21st, 2008I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:
http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html
(Draft) Technical Comparison: OpenID and SAML
Monday, December 17th, 2007Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.
The resultant comparison paper, “Technical Comparison: OpenID and SAML - Draft 05″ seems to me to be at a stage where it can be shared widely (i.e. on the web ), here it is..
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html
..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).
I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.
So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.
=JeffH sez check it out.
PHP SAML 2.0 IdP launched!
Friday, September 7th, 2007Andreas Åkre Solberg writes on his Feide blog..
simpleSAMLphp 0.3 is launched. Most interesting in this new release is the SAML 2.0 IdP functionality. The documentation is not covering everything in detail yet, but it should be sufficient to get something up running.
The simpleSAMLphp 0.3 package also features a Shibboleth 1.3-compatible SP written in PHP.
Debate on Cost Analysis of Windows Vista Content Protection
Friday, January 26th, 2007Well, I’m using the term “debate” loosely here because it seems to me, given the marshalled evidence, there isn’t much of a debate to be had, but in any case, Microsoft has responded to Peter Gutmann’s cost analysis of the DRM subsystems in Windows Vista (of which I’d written about earlier), and also in system hardware that has anything to do with handling of so-called “premium content” (i.e. content encoded onto newly emerging HD-DVD and Blu-Ray discs). Their reply is here..
Windows Vista Content Protection - Twenty Questions (and Answers)
http://windowsvistablog.com/blogs/windowsvista/archive
/2007/01/20/windows-vista-content-protection-
twenty-questions-and-answers.aspx
Peter Gutmann’s rebuttal to Microsoft’s response is here..
Microsoft’s Response
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html#response
..which is an appendix of his overall “Cost Analysis of Windows Vista Content Protection” paper.
If you are at all curious as to the veracity and logic of Microsoft’s response, it is worth reading Peter Gutmann’s response in detail.
A Cost Analysis of Windows Vista Content Protection
Thursday, December 21st, 2006Peter Gutmann has just published a fairly detailed examination of Windows Vista Content Protection. It is highly recommended reading in that it has non-trivial implications for essentially all personal computer users of any stripe…
A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
Note that this analysis dovetails with Bruce Schneier’s overall “DRM is futile” piece from 2001…
The Futility of Digital Copy Prevention
http://www.schneier.com/crypto-gram-0105.html#3
And also it has been coming for a while. Here’s a Microsoft doc from early 2005 that goes into fair detail describing the DRM-driven system workings that Peter analyzes…
Output Content Protection and Windows Vista
Updated: April 27, 2005
http://www.microsoft.com/whdc/device/stream/output_protect.mspx
..although interestingly enough, technorati lists only 13 references to it in their view of the blogosphere. Perhaps this upcoming train wreck isn’t all that widely perceived.
To me, Microsoft’s introduction of this level of bizzare complexity into the hardware and software platform, simply tends to reinforce the refrain of one of my colleagues: “I ain’t going anywhere near Vista.”
Seems like I’ll have to sooner or later get around to experimenting with bringing up Ubuntu and/or CENT/OS and evaluating what it’ll take to migrate my environment over to one of them. Oh, yeah, and get my hardware upgraded sooner rather than later here so that it hopefully won’t have this foolishness in it. I wonder how long into the future XP will be supported?
[update 25-Dec-2006]
Peter has updated his analysis paper to provide pointers to publicly available sources.
Geek Alert: Start-up generates random numbers from space
Thursday, December 14th, 2006Ok, so if yer hip to cryptography at least some, then you know that to do truly strong crypto, one needs a source of very random numbers. This is not all that easy, it turns out. If you’re unaware of this little subtle-but-way-important detail, check out Ross Anderson’s book Security Engineering and Bruce Schneier’s Applied Cryptography.
Anyway, so these creative geeks are apparently going for outer-space-based events as sources of noise from which to generate their randomness. The article from zdnet UK (originally) is here..
Note that the article has pointers to various other orgs providing ostensibly random numbers over the Internet.
A nod of acknowledgment to Dan Geer, who’s post to the Cryptography@ list was the source for this post.
A SAMLv2 Relying Party PHP Implementation
Wednesday, November 1st, 2006So Pat Patterson has pulled a nice rabbit outta his hat and concocted a SAMLv2 Relying Party Implementation in PHP! I’m going to have to play with this one…