Authentication protocols: A comparative analysis.

Authentication protocols are protocols which play a crucial role in ensuring secure access to web applications and systems. Currently, it is very common to see a lot of web applications and systems requiring users to register to the application or system by creating a new account. However, from the user’s perspective, it is impractical to remember all the usernames and passwords for each application. As a solution, users tend to reuse the same passwords, use weak passwords or maintain a list of all usernames and passwords. All these pose security threats. Single Sign-On (SSO) is a well-known solution that enables users to keep the same username and password for multiple web applications. Benefits of Single Sign-On (SSO)

1. SSO provides the ability to maintain the same authentication and/or authorization attributes for multiple web application or system.

2. From the application developer’s perspective, SSO will reduce complexity of having to understand and implement identity security in their applications.

3. This is beneficial for the application maintainers as well. They will be able to reduce their user management cost as a result. Authentication protocols

They include:

SAML 2.0

This is an XML –based protocol developed by the security services technical committee of OASIS.SAML uses a security token to pass an information of the principal (which is typically the user) between the identity provider and the service provider (the application.SAML2 has a modular architecture which consists of three major components: core, bindings and profile.SAML2 is a flexible and extensive protocol that can be customized according to the needs to be used with the other standards.

Open ID

Open ID is alight weighed protocol. It has a decentralized, user centric architecture. Original Open ID authentication protocol was developed by Brad Fitzpatrick is and it now managed by the Open ID foundation. Users are able to create account at their preferred Open ID providers and then use those account to other web applications that accept Open ID authentications.

WS-federation passive requestor profile

Similar to SAML 2 WS-Federation protocol also has a modular architecture. As a result, this is flexible and extensible and is able to solve general web security problem. This protocol has been developed by IBM and Microsoft. It depends on different components such as: WS- security framework, Ws-trust, Ws-security policy and ws-security, which are used for different perspectives in the SSO process. 

Central authentication services

CAS is also an authentication system that provide enterprise SSO services. This protocol is invented by Yale university to provide a trusted way for an application to authenticate a user. Also multi-tier authentication via a proxy address and has a centralized architecture. Is an open and well documented protocol that has an open-source java server component, a library of clients for java, Net, PHP, Apache, portal and other. SSO process initiation mechanism The SSO process can be initiated using either of the following methods: 

Service provider initiated –the application initiates the SSO process when the user tries to login Identity provider initiated –the user visits the identity provider first using the browser and will then visit the web application. 

This mechanism ha got its name because the entire process started as the identity provider. OpenID supports only service provided initiated SSO and the end user is required to enter the OPen ID manually to the relying party (web application). SAML supports both forms which means that it is possible to portals for user using the IDP initiated flow the user can will be able to launch the application. Both CAS and Ws-Fedration passive profile support the service provider initiated.

Identity providers

Open ID has the ability to auto-discover its identity provider. It is also a key advantage of the openID protocol. http://myidentity provider.com/bob/indicates explicitly that Bobs identity provider can be found at https://my identityprovider.com. This provides provide simplicity to the application provider when it comes to configuring an application to SSO. However, for the enterprise these may lead to the draw backs. Applications or services provider SOD not trust all OpenID providers and this a major issue. As a solution these should be limited only to asset of trusted identity providers. In openID this can be achieved by the directed identity mechanism.

SAML2 service provider are coupled with it identity providers. SAML2 has a discovery protocol based on identity provider discovery service protocol. The Home Realm discovery mechanism is used I Ws-Federation for this purpose. There is no specific method that is used to identify the home realm of the request. Some common method is fixed based, requestor IPbased realm, prompted or uses a discovery service and a shared cookie. As described above CAS as also centralized protocol. Therefore, it uses a single server to identity management.

Security token types

Are used to prove the user identity in the SSO process. It contains the user identity claims and also information on authentication events. Each protocol has a defined its own type for the security token in their specification. OpenID protocol uses plain texts for a request and response messages in a set of request parameters defined in specification. SML2 assertion contain security information in AML2.The service provider request and obtain an identity assertion from their identity provider and authentication authorization will be able based on that assertion token. Apart from that SAML works with any other token types that are embedded in a SAML assertion. In the ws-Federation, ws-trust is responsible for enabling application to construct trusted message exchanges and security brokerings. Therefore, security token looks ws-Federation should be ws-trust supported. CAS uses a secure cookie containing a string identify a ticket-granting ticket mechanism secure a message. This cookie is called ticket granting cookie.

Single sign-out

While SSO means logging in to multiple applications using the same username and password, single log out is a way to remove all sessions at once when the user logs out from one application. SAML2 supports single sign-out but OpenId does not support. CAS also support this feature. Whenever a ticket ranting ticket has explicitly expired, the log out protocol will be initiated in CAS. SSO to the various web application is maintained via sessions cookies in the browser and WS federation Sign out process will destroy this cookie so that the users will need to provider credetions again in order to assess to those applications. Single Sign-Out can be initiated by either an SP or the STS which will sent sign out messages to all relying parties.

Security issues

even though the SSO makes our lives easier these protocols may lead to some security issues. Phishing attacks are one of the major security concerns in OpenId protocol. In Open ID, the relying party controls authentication to the IDP; the RP can redirect the user credentials to a fake identity provider to steal sensitive data. This can be mitigated in the application level by properly checking the identity of IDPs response messages signature and domain name of the IDP. Man-in-middle and replay attacks are also possible in Open ID. SAML2 is also vulnerable to XML signature wrapping attacks as that is an XML based protocols. The adversary can modify the message structure by injecting malicious elements without validating the XML signature. Phishing attacks a possible with CAS these can open to users who are log in with the already set ticket granting cookie (TGC). If the user clicks to the malicious link, a service ticket will be appended to that link with URL as a query string. The CAS sever will redirect the URL to a pc or malicious site. Since the URL to the applications contains ST it can, be stolen by a fake application. This is also a common security attacked CAS.

Conclusion

Open IDS is an easy-to-implement, light-weight protocol compared to others. However, SAML2 and ws-federation passive profile have some clear advantages over OpenIds when t come to enterprising SSO.As a result, most software –as-a-service(saas) vendors are widely integrating previously stated protocols in their applications. CAS is an older protocol that has a centralized architecture unlike OpenId. As a result, it will be easy for the user management. On the other hand, if the system operates mostly in the Microsoft word, WS-Federation is more suitable.