Stanford Web Security Service Proposal
Version 0.85

Tim Torgenrud, DCCS
DRAFT, 11/11/96

NOTE: This is still a draft.
Comments and suggested changes to this document should be directed to torg@stanford.edu.

Contents

Background
Requirements
Proposed Implementations
Design Constraints
The Web Authentication Process
API Documentation
Modified Server Options
Long Term Expections

Background

The arrival of the World Wide Web (WWW) brought about a higher visibility of basic information/document exchange. At the time of its release however, the WWW was intentionally designed to be an "open" specification for data exchange/access. The original design specifically states that security and access controls were left out of the WWW.
Increased usage of the Web for a variety of tasks that involve the sharing of data and files has raised the issue of incorporating access controls and data security into the Web delivery process. Vendors (in particular Netscape) have addressed a part of this by creating a structure through the Secure Socket Layer (SSL) methodology that provides for encryption on the wire. Vendors have not clearly provided the means for incorporating the Web browser into the enterprise infrastructure with authenticated "login". (SSL authenticates the Web server to the client browser but does not currently do the reverse - clearly identifying the user to the server.) This means that the enterprise is required to prompt for a username/password pairing in some manner, typically on an application by application basis. Also, many of the vendor-suggested solutions make the assumptions that environment is firewalled from the Internet and that the internal network is trustworthy. Both assumptions fail in regard to the Stanford network environment.
The Stanford enterprise infrastructure uses Kerberos (currently version 4, migrating to version 5). The only browser that currently supports Kerberos for browser authentication is NCSA Mosaic. Most vendors have indicated little intent to fit Kerberos directly into their browser product. Most vendors have indicated that they are simply waiting for the establishment of individual public-key certificates as a method of long-term user identification and authentication. The campus authentication system will evolve to support public-key methods as a general Internet public-key infrastructure emerges over the next few years, but this is not a near-term solution.
This proposal has been established to provide method(s) of bringing the campus authentication infrastructure (Kerberos) and the campus Web environment together to provide a secure method for document transmission that can include user authentication for campus users.
There are two general modes of interaction with web-based services. One is the standard WWW function of serving more or less static pages of information. In this mode it is desirable to support controls such that access to pages can be limited to a set of users. The other mode is the traditional session-oriented interaction (log in, do some work, log out). These applications are implemented using some form of CGI programming. Such programs require methods to obtain authentication information about users, and associate authentication with session state. The scope of this proposal includes support for both of these modes.

Requirements

  • (R1) If passwords go across the network, they must be encrypted
The sending of passwords across the network should be minimized. If they are sent, they must be protected by strong encryption. This will minimize the usefulness of "sniffer" attacks that monitor network packets.
  • (R1)Limit exposure of passwords to hosts
Secure handling of user passwords is critical. Ideally users should only type their passwords into system immediately in front of them. The scheme should not require password-handling by every web server that wishes to use authentication. This will minimize the trust that users have to place in web servers they access.
  • (R2) Permit non-SSL-encrypted connections where appropriate
An authentication design that requires all connections to use SSL encryption at all times solves some security problems, but at the cost of substantial performance reduction, and of changing all URLs to be https://. The use of SSL encryption should be available when an application or document requires protection of the data stream, but otherwise should not be required simply to support authenticated access.
  • (R3) Encrypted stream for data
The data path on the network between the Web server and the client browser must have a method for secure, encrypted transmission. Not every application will require the use of encrypted connections, but it must be available for those that do.
  • (R4) Ability to authenticate user within the infrastructure
There needs to be a clear and viable way to identify the browser user in terms of the campus (enterprise) environment. As the campus environment is using Kerberos for general authentication, the authentication should provide identification of a Kerberos principal.
  • (R5) Minimize changes to URLs and access methods
As much as possible the scheme should work transparently with existing URLs (http://host/ and https://host/). Adoption of the scheme will be much more difficult if users are required to create new URLs for their authenticated pages.
  • (R6) Permit user-written, untrusted applications to co-exist on the same server
In some server environments it is attractive to support simple web-based applications that are "user-written." Such applications are not reviewed by professional staff, are not monitored for security or performance, and can be installed by ordinary users on a multi-user system. In particular, such applications may be actively hostile to other applications running on the same server. Providing support for them means protecting applications on a server such that a rogue application cannot compromise another by reading its files or environment variables, spoofing its operations, etc.
  • (R7) API for access to authentication information via CGI programming
Programmers need a simple API for calling the web authentication module. A simple set of calls for getting the authenticated Kerberos principal is needed.
  • (R8) Placement of authentication information into environment variables
For CGI scripts, the results of authentication should be accessible via environment variables if the server is capable of overseeing the web authentication process. This eliminates the need for the CGI programmer to use the web authentication API.
  • (R9) Support easy-to-use secure access control for static documents
Many people who make documents available via the web would like to control access to them to a limited set of users. Currently, this is done using HTTP Basic Authentication, which requires username/password management by the document supplier, and is as insecure as any other method that sends passwords in the clear. This also sometimes done using a non-advertised URL which is otherwise unprotected; this is obviously insecure, and requires document users to remember the URLs.
To make this capability as widely accessible as possible, it should work without requiring programming or password management by the document provider. Ideally, it should use the existing authentication infrastructure and require no more than putting a list of authorized usernames in the appropriate location (similarly to the current .htaccess file usage). Use of access control should be independent of the use of encryption on transmitted documents, which imposes unnecessary overhead on applications that don't require this level of protection.
  • (R10) Maintain authenticated status in some manner
The use of authenticated status is often tied to the notion of a "session" with a service. These "sessions" span multiple HTTP transactions and programmers need a method of maintaining the authentication of the browser user across the span of the "session".
  • (R11) Applicable across browser implementations and desktops (with defined security restrictions)
The authentication method supplied needs to be usable across browsers with the restriction that desktops that are without the installed infrastructure security elements (ie, to authenticate requires that you submit a password over the network) must have a browser capable of the established connection encryption mechanism (eg, SSL).
  • (R12) Accomodate identification through either SUNet ID or UnivID/PIN mechanisms
This mechanism needs to allow for the establishment of authentication through either the preferred SUNetID or the legacy UnivID/PIN methodology.
  • (R13) Should be able to apply to departmentally-maintained servers as well as centrally maintained services (with some defined restrictions)
Departments should be able to take advantage of the deliverables within the limits of operating system and established security level requirements.

Proposed Implementations

Design Constraints
  • Encryption Issues
    The Secured Socket Layer (SSL) capability is the only method currently seen as an answer for passing password information over an encrypted channel.
    Any application that wishes to take advantage of the full web authentication package will need to limit its browser support to only those browsers that can use SSL.
  • Authentication Issues
    The basic proposed implementation seeks to be most effective with desktops that have an infrastructure authentication responder (eg MacLeland or PCLeland) installed and also have browsers that can understand HTTP cookies and make use of the Secured Socket Layer (SSL) capability.
    At a bare minimum, the desktop MUST have either an infrastructure authentication responder or an SSL-capable browser installed.
    General authentication through the responder is provided via the S/Ident protocol. See the S/Ident proposal for further information. Currently, the web authentication module is providing backward compatibility for versions of MacLeland that are prior to those that use the S/Ident protocol.
  • Replay Issues
    Whatever is put in environment variables would be visible to other users/processes on the machine. This might require the restriction of what users and/or scripts have access on a machine having Stanford web authentication installed. Or the items listed in environment variables may need to be limited to eliminate the potential for replay attacks.

The Web Authentication Process

  • General Overview
    The process for authentication can vary based on what is present on the client browser desktop and/or what the application insists upon in terms of a time factor for the authentication. Generally, the process involves attaining the Kerberos principal associated with the client browser either by means of a responder on the client desktop or by passing the client browser to a proxy authenticator. The web authentication processes then build a token string (webauth token) that is passed between the client browser and the web service. This webauth token can reside either in the URL (QUERYSTRING or PATHINFO or actually in the URL if the server is modified) or be passed using web cookies.

    Process Using the Desktop Responder
    The client browser connects to a web service that requires authentication. The web service checks for a webauth token. Failing to find a webauth token, the web service then uses the S/Ident protocol and attempts to verify the principal associated with the client browser. Upon receiving a positive S/Ident response, the web service builds a webauth token and exchanges it with the client browser.

    Process Using the Proxy Authenticator
    The client browser connects to a web service that requires authentication. The web service checks for a webauth token. Failing to find a webauth token, the web service then uses the S/Ident protocol and attempts to verify the principal associated with the client browser. Failing to get a positive response, the web service redirects the client browser to a proxy authentication service (along with a return URL for after authentication). If the client browser completes the authentication, the proxy authentication server will build a token for the web service. The proxy authentication server then redirects the client browser back to the web service. The web service checks for a webauth token. Finding a webauth token from the proxy authentication service, the web service takes that token apart and then builds a webauth token and exchanges it with the client browser.

  • Technical Overviews

    Details of the Ticket Exchange Process
    The description below uses the following notation:
    •   Kx      :  x's secret key

    •   Kx-y    :  session key for x and y

    •   {..}Kx  :  data encrypted in x's secret keyBR>

    •   Tx-y    :  x's ticket for service y

    •   Ax      :  authenticator for x

    •   S       :  the ident.S service principal for server S

    •   C       :  client machine with web browser

    •   U       :  the user principal on C
    The one-line summary is: we are using cookies to implement more or less exactly the function of the regular Kerberos ticket cache.

      Normal http connections aren't accompanied by or associated with Kerberos service tickets, so this needs to be done externally. One notable extreme would be the approach (in use by sites using SideCar) is that the web server calls back to a local desktop responder (e.g., SideCar) on the client for each and every connection. This provides a direct path from the web server to the real ticket cache on the client with the side effect of lots of callbacks and increased connections overhead.
      However, it is possible to put a ticket in a cookie, more or less, so the ticket can ride along with the http request itself, avoiding all those callbacks. The issue then becomes how to get the appropriate ticket (Tu-s) into the cookie. First the S/Ident requestor is used to cause the client C to request Tu-s from the TGS and cache it. Note that if the browser offered the ability to create a cookie locally, rather than being created only by servers, in theory,the client could create the appropriate ticket-as-cookie entirely, without having to pass it through the web server at all. Currently, this is not readilty available, so the ticket Tu-s now has to be transferred to the server (via S/Ident), cookie-ized by the server, then set into the client web browser. Now the client will return it in any future requests to the server and authentication is established.
      If the client C has no local Kerberos, or has no S/Ident responder to fill up its cache, in this case, and only in this case, the "kerberos proxy server" A is introduced to act as the Kerberos client that C lacks. So the user types the appropriate username/password pair into A, which generates the Tu-s ticket, cookie-izes it, and sets it into C's browser. The result is the same (excepting A's IP versus C's) as the S/Ident case.
      However, a regular Kerberos ticket cache also includes a TGT (Tu-tgs). In the scheme above A cannot hang on to the TGT for C since it can't tell one C from another to be able to reuse the TGT. So it cookie-izes Tu-tgs and sets it into C (encrypting it so it cannot be tampered with), which will return it to A if it talks to it again any time soon. Note that this TGT, like any TGT, is just an optimization to avoid having to type the password frequently.
      Note in particular that the S/Ident interaction happens *only* between S and C, and *never* between A and C, reducing the need to "trust" A only to those cases where A is needed to gather the username/password pair for ticket requesting.

    Web Authentication Scenarios

    The scenarios below use the following notation: 
    • 	 C   - client, web browser

    • 	"A"  - Proxy authentication server, where username/password 
		or ID/PIN prompting can be done.

    • 	 S   - some random web server
    Scenario: Desktop contains no Stanford authentication modules. Client browser includes web cookie and SSL support.
    NOTE: SSL is required for authentication!

    • C requests a document or service from S that requires authentication.
    • S checks for cookies or a tokenized URL from C of type ident.S.
    • S checks then for the existence of an S/Ident responder on C.
    • Failing to find such items, S sends a redirect of "A" to C with an appropriate URL back to S postpended.

      <--- SSL connection required --->

    • "A" checks that there isn't a cookie indicating that C has authenticated with "A" before. (Discussed below.)
    • "A" then puts up a page prompting C for username and password.
    • "A" then requests a TGT ticket for C.
    • Upon receipt of the TGT(C), "A" builds a cookie for A that it gives to C that contains the TGT(C) encrypted in "A"'s private key. (This can be used for later service authentication as mentioned above.)
    • Using TGT(C), "A" then requests and receives a ticket for S (ident.S). This ticket is put into a cookie that is handed to C.
    • A redirect back to the URL on S is issued back to C (and in that manner, the ident.S cookie is passed on to S).

      <--- SSL connection no longer required --->

    • S should now not fail when checking for cookies or a tokenized URL from C of type ident.S and authentication has been achieved. (The ident.S ticket from C is available or the CGI environment variables are now set.)

    Note: A time limit on TGT(C) to limit the exposure is required. The recommended time is 15 minutes.

    Scenario: Desktop contains Stanford authentication modules. Client browser does not contain web cookie support.

    Scenario: Desktop contains Stanford authentication modules. Client browser contain web cookie support but application wishes to pass authentication via URL in all cases.

API Documentation

Using the webauth.pl PERL Library
get_local_auth
get_remote_auth
Status Codes
The Webauth Token
Webauth Identification Types
Authentication Methods
Using the webauth.pl PERL Library
This method requires that the WebAuth.pm module and the webauth.pl library be installed.

For PERL programmers using the authentication module on a local server, there are two calls, get_local_auth and get_remote_auth.

The get_local_auth is called to actually get the authentication information. It is the only call that actually has a return. get_local_auth checks for a service token and also performs the S/Ident and Leland_Agent callbacks to establish a service token if no token is found. If no callback agents are discovered and no service token exists, get_local_auth will return a complete failure status.

The get_remote_auth is called to redirect the client to the proxy server for username/password pair prompting. Since this is implemented through a stateless protocol, program doing the calling must either pass the return point to the proxy server or be prepared to have the then-authenticated client begin the calling program from the beginning of the main body.

The calls: 

	( $status, $auth_id, $auth_age, $ident_type, $ident_method ) =
		&get_local_auth ( $lifetime, $token_loc );

	&get_remote_auth ($return_url, $ident_type, $token_loc,
		$formcall_method, $return_method );
get_local_auth is called with the arguments: 
	$lifetime	-	the allowed lifetime in seconds of the
				authentication

	$token_loc	-	where the token for authentication can
				be kept (any combination of cookie, 
				embedded in the url with @@, path_info,
				or query_string as represented by "c", 
				"e", "p", "q"
get_local_auth returns: 
	$status		-	a result status on the call's actions.
				This is presented in the form of:
					Numeric code:Error string
				(See Status Codes)

	$auth_id	-	if authentication was successful, a
				SUNet ID or Univ ID (as indicated by
				$ident_type) will be returned

	$auth_age	-	the time (in seconds (?)) since the
				authentication action occurred

	$ident_type	-	the form of identification that was
				returned
				(See Identification Types)

	$ident_method	-	the manner in which authentication was
				established
				(See Authentication Methods)
get_remote_auth is called with the arguments: 
	$return_url	-	the URL that the authentication service
				should redirect the client browser to
				after authentication is completed

	$ident_type	-	the form of identification that is 
				desired - uses the Identification Types
				with the addition of the key "any"
				(See Identification Types)

	$token_loc	-	where the token for authentication should
				be put (any combination of cookie, 
				embedded in the url with @@, path_info,
				or query_string as represented by "c", 
				"e", "p", "q"

	$formcall_method -	whether the authentication service
				should be called by a redirect or to 
				prompt the user with a form button
				indicating authentication is required

	$return_method	-	whether the authentication service
				simply redirects back to the $return_url
				or verifies authentication to the user 
				with a hyperlink pointing back to
				$return_url
get_remote_auth is an exit call. It closes the calling program and redirects the connecting client to the proxy authentication server.

Status Codes

get_local_auth returns a status code in the form of a numeric code that is colon-separated from an error string. Current established codes are:

200 : Success
301 : No return URL provided
400 : No Auth Found
500 : Auth Unsuccessful
600 : Auth Expired
701 : DES operation failed
702 : Open of srvtab failed

The Webauth Token

The webauth token consists of six colon-separated items. These items are:

User (principal) or UnivID
Indicates the authenticated principal name or confirmed UnivID.
create_time
Indicates the time at which the principal was authenticated. (This can vary dependent upon whether the authentication method was via responder or proxy.)
Identification Type
Indicates what type of User is being provided.
client_IP
Indicates the IP address of the actual authenticating client (used in particular with proxy authentication).
Authentication Method
Indicates which authentication method (responder, proxy, etc.) was used to establish the User.
Data
To be determined. Placeholder field for possible use with session state requirement.

The webauth token is DES-encrypted in the web service key and then converted to base64. It is then prefixed with either a local: or a remote: tag to indicate that the web service (local:) itself created the webauth token or the proxy authentication service (remote:) did the creation.

Identification Types

The web_auth package can establish identification for the following recognized types:

UnivID
a numeric University ID
SUNet ID
the "person" (aka principal) SUNet ID type

Authentication Methods

The web_auth package establishes authentication by the following recognized methods:

Leland Agent
Using the current version of MacLeland
S/Ident
Using the versions of Mac/PC/Unix responders that utilize the S/Ident protocol
Proxy
Using the redirect method to the proxy authentication server that prompts the client for a username/password pairing
Client
Using tools such that the client actually establishes its own authentication token to pass for get_local_auth

Modified Server Options

Integration of the WebAuth process into an Apache server module is expected as well (in particular, this work will be done for the WWW-Leland Web services) but the deliverable is anticipated after the delivery of the general base WebAuth module.

Integration will produce the following service extensions:

File Access Control

This allows users to base authentication simply upon the existing .htaccess control method by simply adding a new AuthType.
  • AuthType StanfordAuth
The server is modified to recognize the AuthType StanfordAuth which allows for htgroup files and require statements in the access control file for a directory to contain the authenticated user's identity rather than having to maintain a separate and unique passwd file. require valid-user would then indicate an authenticated client browser session.

Environment Variables

For CGI programmers using a modified server, the authentication process built into the server will set several environment variables. The standard variable that gets set is the standard REMOTE_USER, with several WebAuth specfic SU_AUTH_* type variables also being established:

SU_AUTH_AGE
how old the current credential is
SU_AUTH_USER
same as REMOTE_USER but specific to the webauth setup
SU_AUTH_METHOD
by what method the user was authenticated
SU_AUTH_TOKEN
If authentication has been previously established and the client browser is passing the webauth token in a cookie, SU_AUTH_TOKEN is set with the encrypted webauth token.

Note: Indeed REMOTE_USER should not be assumed for the API, but rather assume SU_AUTH_USER so that there can't be any mistake about what kind of authentication the user established, as REMOTE_USER may be set through a variety of methods.

Long Term Expectations

The use of personal digital certificates for authentication is anticipated in the future and will require modifications to the infrastructure and service delivery for integrated functionality. Actual specifications are currently still too unclear to provide a full impact analysis.