token generation, IAM in multi-tier cloud infrastructure

33
BY : MRUNAL PATIL-32 NIKITA PATIL-33 AISHWARYA SHEKOKAR-52 Identity Access Management for Multi-tier Cloud Infrastructures

Transcript of token generation, IAM in multi-tier cloud infrastructure

Page 1: token generation, IAM in multi-tier cloud infrastructure

B Y : M R U N AL PAT I L - 3 2

N I K I TA PAT I L - 3 3

AI S H WARYA S H E K O K AR - 5 2

Identity Access Management for Multi-tier CloudInfrastructures

Page 2: token generation, IAM in multi-tier cloud infrastructure

Why do you need IAM?

significant risks not only to compliance but also an organization’s overall security.

increase the risk of greater damages.

access level escalation is not revoked.

accumulation of privileges known as privilege creep.

Page 3: token generation, IAM in multi-tier cloud infrastructure

IAM address three important questions:

1. Who has access to what information?

2. Is the access appropriate for the job being performed?

3. Is the access and activity monitored, logged, and reported appropriately?

Page 4: token generation, IAM in multi-tier cloud infrastructure

Let’s Define IAM Terms

Authentication (AuthN) Verify that a person is who they claim to be

This is where multi-factor authentication comes into play

Identification and authentication are related but not the same

Authorization (AuthZ) Deciding what resources can be accessed/used by a user

Accounting Charges you for what you do

Page 5: token generation, IAM in multi-tier cloud infrastructure

Advantages of IAM

Faster response times.

Easily retrievable evidence of activities.

Automated workflows for approvals and

communication.

Better management of large data volumes.

Ability to centrally administer and monitor systems.

Page 6: token generation, IAM in multi-tier cloud infrastructure

Identity and access management system

User connects to web server.

Web server has a connecter or “Agent”

1)An interface to access manager.

2)plugins or API’s.

Access manager is Policy Enforcement Point(PEP).

1)High volume systems to make decisions on access requests from the web server.

2)Must be high availability.

Page 7: token generation, IAM in multi-tier cloud infrastructure

IAM is the Policy Management Point(PEM)

1)Central management of all identity information from various sources.

2)Able to define processes and workflows to manage, maintain and audit access to resources.

Page 8: token generation, IAM in multi-tier cloud infrastructure

Access Controls

Role based access control.

Attribute based access control.

1)subject attributes(role, project).

2)resource attributes(owner of a file)

3)environmental attributes(risk level)

Page 9: token generation, IAM in multi-tier cloud infrastructure

Managing Roles & Privileges

9

Grouper Signet

Role-Based Access Control (RBAC) model

• Users are placed into groups

• Privileges are assigned to groups

• Groups can be arranged into hierarchies to effectively bestow privileges

• Signet manages privileges

• Grouper manages, well, groups

Page 10: token generation, IAM in multi-tier cloud infrastructure

How full IdM layer helps

10

Improves scalability: IdM process automation

Reduces complexity of IT ecosystem

Complexity as friction (wasted resources)

Improved user experience

Functional specialization: App developer can concentrate on app-specific functionality

Page 11: token generation, IAM in multi-tier cloud infrastructure

IAM Solutions

Page 12: token generation, IAM in multi-tier cloud infrastructure

What is Token

Token comprises of 3 parts :

Header

Payload

Signature

is a small hardware device that the owner carries to authorize access to a network service. The device may be in the form of a smart card or may be embedded in a commonly used object such as a key

Token is of 2 types : auto generated or dependent on username

Page 13: token generation, IAM in multi-tier cloud infrastructure

JWT(JSON Web Token)

Info safe between 2 parties

Comprises of 3 parts :

application server

authentication server

user

Page 14: token generation, IAM in multi-tier cloud infrastructure

JWT(JSON Web Token)

4 steps :

User sign in to the authenticating server

Server authenticates if user is authentic

User passes JWT when making API calls to application server

Application server verifies the application and send it back to the user

Application server receives secret key from authentication server

Page 15: token generation, IAM in multi-tier cloud infrastructure

For creating a token in JWT

Create header

Create signature

Payload

Put together

Verify JWT(if sign matches user is authentic, id sign does not match then user is not authentic)

Page 16: token generation, IAM in multi-tier cloud infrastructure

JWT advantages:

Obscure data

Proves data was sent and created by authentic source

Encoded(transform data struct) data obtained

Signed data(verified authenticity) obtained

Page 17: token generation, IAM in multi-tier cloud infrastructure

JWT disadvantage :

Does not hide data

Does not encrypt data

Page 18: token generation, IAM in multi-tier cloud infrastructure

RSA-ECDSA

User asks for authentication

If token is verified then process is done

RSA secureID has :

hw(USB dongle)

sw(soft token)

Assigned to comp user and generates code at fixed interval(60 sec)

Built-in clock is used and cards factory encoded random key(seed)

Seed is different for each token

Page 19: token generation, IAM in multi-tier cloud infrastructure

Rsa(1K rsa key)

Adv :

Speed high

Verifies rsa signatures faster

Disadv :

Sign and public key is added to msg so high space

Low security

Page 20: token generation, IAM in multi-tier cloud infrastructure

ECDSA(192-bit ECDSA)

Adv :

More secure

Disadv :

More space required

Speed slow

Page 21: token generation, IAM in multi-tier cloud infrastructure

Comparison(JWT, RSA-ECDSA, HMAC SHA1)

RCF 4226 HOTP based on SHA1

Jwt and rsaecdsa requires SALTING

Hmac-sha1 is best because it does not require SALTING strings(MD5 add)

Salting is hash technique for reducing collision

Hash function is found in db

Salting is unknown element (random)

Page 22: token generation, IAM in multi-tier cloud infrastructure

The OTP Server and Authentication Protocol

OTP is auto-generated

An OTP depends on 2 parameters:

A secret key

A counter

In the case of a transaction an OTP is sent to the mobile phone of the user, for an authentication if is possible to use either a secure token or to request an OTP to be send to the user phone

Page 23: token generation, IAM in multi-tier cloud infrastructure

Why we are not using OTP method:

· Multiple uses means multiple lockouts if ever lost or stolen.

· Only runs with RSA Infrastructure installed. Single point of failure - multiple redundancy levels are

needed Limited to known or managed laptops/desktops - a

remote access component should be considered Need to monitor application upgrades and changes - SSO

templates/profiles should be easy to modify Different types of users have different workflows - the

solution should have flexible security policies to meet these requirements

Page 24: token generation, IAM in multi-tier cloud infrastructure

HMAC SHA1

Used for checking tampered msg

Keyed hash algo(secret key)

Secret key + msg

Hashes result with hash function

Adds hash value

Output is 160 bits in length

Page 25: token generation, IAM in multi-tier cloud infrastructure

HMAC SHA1

Sender sends original data and hash value to receiver

Sender computes hash value

Receiver calculates hash value

If mismatch then correct hash value is demanded

Page 26: token generation, IAM in multi-tier cloud infrastructure

HMAC SHA1

Advantage : faster

More secure

Disadvantage :need for secret key to verify token

timelimit

Page 27: token generation, IAM in multi-tier cloud infrastructure

The HMAC-SHA1 Token Generator

This OTP is based on the algorithm HMAC SHA.

used to perform authentication by challenge response

This algorithm is not reversible.

It is not an encryption algorithm but a hashing algorithm.

A HMAC SHA1 uses a key to transform an input array of bytes.

The secret key must be 20 bytes at least

The algorithm takes the 20 bytes key and the 8 bytes counter to create a 8 digits number

Page 28: token generation, IAM in multi-tier cloud infrastructure

Why is the HMAC-SHA1 a strong authentication method?

The key is 20 digits

A password is a couple counter/password, only valid once and a very short time

The algorithm that generates each password is not reversible

With an OTP token, the key is hardware protected

If the OTP is received on your phone, the key always stays at the server

Page 29: token generation, IAM in multi-tier cloud infrastructure

Diagram of HMAC-SHA1 working

Page 30: token generation, IAM in multi-tier cloud infrastructure

Token generation

Page 31: token generation, IAM in multi-tier cloud infrastructure

Benefits of token in HMAC-SHA1

Size of bits is desired

Security is very strong

practical in situations where two parties in a secure environment must be able to depart from one another and communicate from two separate secure environments with perfect secrecy.

optimum cryptosystem with theoretically perfect secrecy.

Page 32: token generation, IAM in multi-tier cloud infrastructure

Further implementation:

We will make a cloud

Set user id and password

And set up system such that tokens are generated

Page 33: token generation, IAM in multi-tier cloud infrastructure

Thank you!