Wednesday, August 18, 2010

Single Sign On

by Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

Calling something a “Holy Grail” is an interesting term – the intended meaning is well known to most of us – i.e. something miraculous that will solve all of your problems. However given that it’s supposedly a cup, bowl or dish hardly links it sensibly to password management – none the less, Single-Sign-On ( henceforth in this article as SSO to save me from RSI ) is supposedly the “Holy Grail” of Authentication.

SSO is the answer to the dilemma that we were left with at the end of the last article – we want complex passwords, difficult to break ones, that change often, on all the systems that a user has access to … A rather entertaining (if a little dated now) paper from Microsoft tells us that each user has 25 accounts that require passwords, and types, on average, 8 passwords a day – and this is a paper about web-browsing habits, not including primary logons to machines or other work legacy systems. What is more interesting is that each user, on average, has 4.5 passwords each used on 3.9 websites (I love averages – how else can you have ½ a password and .9 of a website !). Looking through some other literature suggests that some people manage way, way more than this – with this particular user dealing with 97 separate and distinct password protected systems.

This was recognized as an issue a long time ago, well before we needed to remember our E-bay, Amazon and Twitter passwords. Project Athena at the Massachusetts Institute of Technology (MIT) started in 1983 and developed the Kerberos SSO protocol. Kerberos, named after the three headed dog of Greek mythology (Harry Potter fans please note – it was called Kerberos before “Fluffy” ), operates on the principal of an authentication server that you authenticate to once with your password, and, assuming you get that right, it grants you a “ticket” that you can take to any other service that identifies you and confirms your authentication. The good news is that all of this happens behind the scenes and all you have to do is remember one password. To be fair, it’s a little bit more complicated than that with some quite fun encryption ideas with regard to authentication of source and time stamps to prevent replay attacks. However, it is, in my opinion at least, the daddy of all SSO – so much so that Microsoft Active Directory authentication is, at least almost, Kerberos. (If you want to know a bit more, you can read this, but I can’t claim that you’ll be awake at the end of it. It can be quite enlightening, if you like that sort of thing (and I do), to watch a WireShark trace of a Kerberos exchange, WireShark has quite a good built in understanding of the protocol and you can see various tickets moving around the system – you can also have a go at recording and replaying them to see if the time stamps really do work … Kerberos also has an interesting sideline in identifying machines to other machines, effectively allowing SSO between clients and servers as well as wetware users...

Read more at or discuss here.

No comments: