Introduction to Apache Milagro (incubating)
Linux Con Japan 2016
Go Yamamoto NTT Innovation Institute, Inc.
Milagro: A Distributed Cryptosystem
To Secure the Future of the Web and IoT
Updating PKI for the Age of DevOps
What is Milagro?An OSS project hosted by the Apache Software Foundation (incubating).
Working for a new framework of cryptographic protections on Web/IoT applications by updating PKI for the Age of DevOps.
• Distributed infrastructure as the source of trust,
• Clients that respects the existing businesses.
We would like to accelerate activities in DevOps by making “DevOps Native” security.
milagro.incubator.apache.org
The Current State of the Art
Millions of Websites
Millions of Servers connects with billions of Users.
All the connections are protected almost by a single method, SSL + password authentication.
milagro.incubator.apache.org
The Current State of the ArtSSL + password is widely accepted because
A) Credential recovery process is available on each local Web system.
B) Users are tolerant and patient.
C) We are not yet so serious about the client authentication of the Web.
D) It works without special security operations for each local Web system.
milagro.incubator.apache.org
In the Near FutureBillions of devices are joining the Web for optimization of local business systems. What happens then?
A) Credential recovery process is available on each local Web system.
B) Users are tolerant and patient.
C) We are not yet so serious about the client authentication of the Web.
D) It works without special security operations for each local Web system.
B) and C) are going to change.
Tolerance and patience mean room for optimization.
We will be more serious about our off-line assets.
milagro.incubator.apache.org
Our ProblemWe need a practical security infrastructure that satisfies both A) and D) when B) and C) are denied.
A) Credential recovery process is available on each local Web system.
B) Users are tolerant and patient.
C) We are not yet so serious about the client authentication of the Web.
D) It works without special security operations for each local Web system.
milagro.incubator.apache.org
Client Certificates are not operated for you
You will need to manage
• Securing private key on each devices,
• Updating Certificates before expirations,
• Revoking Certificates when your device is accidentally lost.
Will you stop your factory if some accidents occur in the process?
milagro.incubator.apache.org
Our IdeaProblem: We need a practical security infrastructure that satisfies both A) and D).
A) Credential recovery process is available on each local Web system.
B) Users are tolerant and patient.
C) We are not yet so serious about the client authentication of the Web.
D) It works without special security operations for each local Web system.
Start customizable security infrastructure for local Web/IoTsystems that hosts“Local” PKIs.
milagro.incubator.apache.org
Top Level ArchitectureRenew PKI by decomposing Certificate Authority (CA) into Registration Authority (RA) and Trusted Authority (TA).
System
CA
System
RA TA
milagro.incubator.apache.org
Top Level Architecture
RA controls legitimate public key pairs in the System. RA is custom designed for each System.
System
RA TA
TA entrusts public key pairs using master secret key concealed inside. TA is managed professionally.
milagro.incubator.apache.org
Design Principle
The owner develops RA that satisfies constraints from existing business with the System. Milagro provides a framework for RA.
System
RA TA
Local DevOps loops
milagro.incubator.apache.org
Design Principle
TA is operated professionally in a distributed manner.
System
RA Global TA
LocalDevOps loops
Single Point of
Compromise
milagro.incubator.apache.org
Design Principle
TA is operated professionally in a distributed manner.
System
RAD-TA
LocalDevOps loops
D-TA
D-TA
milagro.incubator.apache.org
Design PrincipleThe RA and the System are operated locally depending on a D-TA network.
System
RAD-TA
LocalDevOps loops
D-TA
D-TA
Global services
A Distributed D-TA network is operated by professionals.
Milagro will Deliver• Suite of cryptographic algorithms for local systems of Web/IoT,
• Middleware/library code that implements the algorithms,
• Server code for distributed key management infrastructure that implements source of trust for each local system of Web/IoT,
• Sample applications. Software Multi-Factor Authentication for Web applications, TLS libraries for IoT, and so on.
milagro.incubator.apache.org
Example: User Authentication
Apply the design principle to Web Applications that require user authentication.
System
IaaS/PaaS
Application
Application
Application
Device
Device
Users
milagro.incubator.apache.org
Constrains from the Existing System
System
IaaS/PaaS
Application
Application
Application
Device
Device
Users
I can’t remember passwords.
I left the devices in my office. I would like to continue working on the other one with me.
Insecure connection
milagro.incubator.apache.org
Design Principle
Develop RA that respects constrains for our existing user authentication.
System
RA
LocalDevOps loops
D-TA network
milagro.incubator.apache.org
Design of RA for Milagro-MFA
Develop RA that delivers a credential for each e-mail address.
System
Device
DeviceUsers
RA
Credential for each e-mail address
PIN
Sends e-mails to verify the ownership
Authenticate by e-mail address
D-TA network
Credits
milagro.incubator.apache.org
Authentication that Respects Constraints
• At least 12 characters from upper-case and lower-case letters, and ...
• You must change it every 2 month.
• You must choose independently random passwords for all accounts.
• 4 digit number is OK for PIN. Resiliencyagainst brute force attacks.
• You do not need to change secrets. Zero-knowledge proof without credentialdatabase, hence no breach.
• You may use the same PIN for allaccounts. Machine generates random OTPfrom the two factors, with your identityburned in.
cTP4dh+(bV{-
7694P=9vrXWV*2[e
WV*2[cTP4dh\
AND
{NGH7TcTj4C6X";%b@Gj
G39J2aEx=.QL8B:v{x*#
uf6([YX{T,wzu]ryb2:`
Password Human part (PIN) Machine part
milagro.incubator.apache.org
Demo: MFA on WordPress
Override the standard password login by Milagro-MFA without modifying the code.
milagro.incubator.apache.org
DevOps-Friendly Modular Design
MPIN.js overrides the standard password login form.
milagro.incubator.apache.org
How it worksMPIN.js communicates with MPIN server to submit full massage of signed token. MPIN.js submits tokenized message (typically hash value) in the password form.
MPIN.js
PrivateKey – PIN(Machine part)
PIN(Human part)
Application Server
hash of token LDAP ServerLDAP Proxy
Timestamp
D-TA network
MPIN Server
resolve full message to verify, orget verify result
RA
milagro.incubator.apache.org
Milagro-MFA Cryptographic Protocol
Gets Server Current Time : 𝑆𝐶𝑇
Alice – identity Server
𝐴 = 𝐻'( 𝐼𝐷+𝑇 = 𝐻, 𝑇- 𝐼𝐷+𝐷 = 𝐴 + 𝑇𝑈 = 𝑥𝐷𝑊 = 𝑥𝐴𝑦 = 𝐻3 𝐼𝐷+ 𝑈 𝑊 𝑛𝑜𝑛𝑐𝑒 𝐶𝐶𝑇𝑉 = −(𝑥 + 𝑦)( 𝑠 − 𝛼 𝐴 + 𝛼𝐴 + 𝑠𝑇)
𝐼𝐷+,𝑈, 𝑊,𝑉, 𝑛𝑜𝑛𝑐𝑒, 𝐶𝐶𝑇 →
𝐼𝐷+Generate random 𝑥, 𝑛𝑜𝑛𝑐𝑒 < 𝑞Gets Client Current Time : 𝐶𝐶𝑇 If Server find 𝑛𝑜𝑛𝑐𝑒 in Database
or 𝑆𝐶𝑇 − 𝐶𝐶𝑇 > 5 min., reject the connection
Else Add 𝑛𝑜𝑛𝑐𝑒 to Database𝑦 = 𝐻3 𝐼𝐷+ 𝑈 𝑊 𝑛𝑜𝑛𝑐𝑒 𝐶𝐶𝑇𝐷 = 𝐻'( 𝐼𝐷+ + 𝐻, 𝑇- 𝐼𝐷+𝑔 = 𝑒 𝑉, 𝑄 ∗ 𝑒 𝑈 + 𝑦𝐷, 𝑠𝑄
If 𝑔 ≠ 1, reject the connection
Notationsq is a prime order,𝜶 is a Pin code, s is a master secret key.𝑯𝑰𝑫 and 𝑯𝑻 are map-to-point hash function, and 𝑯𝒚 is a cryptographic hash function.
milagro.incubator.apache.org
Security from Modern Cryptology
MPIN.js does not consume private key.
• Users are authenticated by an non-interactive zero-knowledge proof protocol.
• The transcripts does not contain any computable information on PrivateKey.
MPIN.js protects PIN from off-line brute-force attacks.
• Information from Machine part does not help for attackers to guess Human part.
• MPIN.js uses elliptic curve pairing-based cryptography. The Machine Part is computationally indistinguishable with random numbers from attacker’s view.
milagro.incubator.apache.org
Milagro-MFA delivers to your Web site
• Agile UX from on-line security as shown by the Off-line PIN authentication,
• DevOps friendly migration from non-destructive installation. You can add MFA without modifying existing password authentications and with keeping the old login pages.
milagro.incubator.apache.org
Browser
Demo: MFA with mod_auth_form
Protect tomcat containers by password authentication with mod_auth_form and mod_session from Apache httpd. We can override password authentication by Milagro-MFA.
Apache HTTP server
OpenAM
LDAP server
FreshDesk
mod_proxymod_auth_formmod_session
SAML redirect
login.html
milagro.incubator.apache.org
Demo: MFA with mod_auth_form
Protect tomcat containers by password authentication with mod_auth_form and mod_session from Apache httpd. We can override password authentication by Milagro-MFA.
<!DOCTYPE html><html><head>
<link href="https://public.milagro.io/public/css/mpin.min.css" rel="stylesheet"><script src="https://public.milagro.io/public/js/mpin.js"></script>
</head><body><form method="POST" action="" id="login-form">Username: <input type="text" name="httpd_username" value="" id="username"/>Password: <input type="password" name="httpd_password" value="" id="password" /><input type="submit" name="login" value="Login" /></form></body></html>
login.html
milagro.incubator.apache.org
Demo: MFA with mod_auth_form
Transparent inline authentication by some hacks. Milagro-MFA works fine without blocking SAML redirection chain from OpenAM.
ProxyPass /openam ajp://127.0.0.1:8009/openamProxyPassReverse /openam ajp://127.0.0.1:8009/openam<LocationMatch "^/openam/">
AuthType formAuthName testrealmAuthFormProvider ldapAuthLDAPUrl "ldap://localhost:3389/dc=security,dc=ntt?uid,mail"Require valid-userSession OnSessionCookieName session path=/;domain=.ellipticauth.com;httponly;secure; SessionCryptoPassphrase secretphrasethatprotectspasswordincookieErrorDocument 401 /login.htmlAuthFormLoginSuccessLocation "/protected/redirect.html”RequestHeader set X-REMOTE %{REMOTE_USER}s
</LocationMatch>
Inline login request without forgetting the context.
Recover GET request after POST request from the form is consumed by mod_auth_form.
See RFC7231 Sec.6.
milagro.incubator.apache.org
Crypto Library(AMCL)
MFA JS Library
MFAJS Client
MFA Server
MFA Mobile SDK iOS
MFA Mobile SDK
Android
MFA Mobile SDK Core
MFA Mobile SDK Windows
Toolkit for Multi-Factor Authentication
milagro.incubator.apache.org
Landscape of security will changeq Limited number of static
Servers.
q Clients are operated by human.
q Connections between Clients and Servers.
q Security operations are defined as best practices.
q System design that prevents problems.
q Practically innumerable number of dynamic Servers.
q Clients are automated, and human interacts for exceptions.
q Many nodes are connected mutually and recursively.
q Security operations are defined as acts of problem solving.
q System design for which problems are solved locally.
milagro.incubator.apache.org
Our IdeaDivide and Conquer
Provide universally useful resources that help security engineering on each local system.
Connect to Protect
Prepare infrastructure that propagates trust over the network of the local systems.
milagro.incubator.apache.org
The IoT network will have a structureThe System of Systems (SoS)
• Smart connected products will form a Product System
• The System of Product Systems will induce forming new Product Systems on the boundary area of the businesses by the System of Product Systems.
• Competition in industry justifies the recursive process.
Porter and Heppelmann, “How Smart, Connected Products Are Transforming Competition”, HBR November 2014.
milagro.incubator.apache.org
How the SoS protects your SystemRA propagates Trust from System to System.
SystemSystem System
System of Systems
milagro.incubator.apache.org
How the SoS protects your SystemRA propagates Trust from System to System.
System
RA
System System
Trust
System of Systems
D-TA network
milagro.incubator.apache.org
Example: Device Authentication
Automatic device authentication by propagating Trust from Manufacture's System.
Device
Device
Device
Device manufacturer’s System User’s System
Device maintenance application
RA
Trust by Serial ID
Userapplication
Authenticate by Function ID
Proof of Serial ID
Credit for Function ID
D-TA network
ID Mapping
milagro.incubator.apache.org
We propose to change
q Centralized certificate authority with prefixed rules.
q Single points of compromise are acceptable because they will be operated perfectly.
q Global security management is enforced and prioritized to each business process.
q Someone owns the security as a product.
q Distributed network of trust with customizable authority.
q Single points of compromise are considered to be vulnerabilities.
q Each business process owns locally defined security management.
q Security is a performance from acts of culture by the open network of engineers.
milagro.incubator.apache.org
The Milagro Manifesto1. WE CAN ESTABLISH A NEW TRUST INFRASTRUCTURE ON THE INTERNET BY WORKING
TOGETHER.
2. WE BELIEVE IN THE POWER OF IDENTITY. EACH AND EVERY OBJECT, SERVICE, PERSONA, AND HUMAN DESERVES A SOLID AND PROTECTED IDENTITY.
3. WE THINK GLOBALLY, BUT ACT LOCALLY IN EVERYTHING THAT WE DO.
4. WE TRUST DISTRIBUTED – NOT CENTRALIZED – AUTHORITY.
5. WE BUILD AND PARTICIPATE IN THE OPEN SOURCE COMMUNITIES.
6. WE EMBRACE THE DIVERSITY OF USERS AND THEIR APPLICATIONS.
7. WE PUT THE USER EXPERIENCE FIRST.
8. WE LEVERAGE THE LATEST RESULTS FROM RESEARCH ON CRYPTOGRAPHY.
http://www.ntti3.com/blog/milagro-manifesto-shaping-future-trust/
milagro.incubator.apache.org
Let’s start the change 1) Try Milagro-MFA by importing MPIN.js from our public server.
2) Deploy your own Milagro-MFA from our code repository.
3) Play with the code.
4) Join Milagro community.
Top Related