web application authentication with pki & other functions bill weems & mark b. jones...
TRANSCRIPT
![Page 1: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/1.jpg)
Web Application Authenticationwith PKI & Other Functions
Bill Weems & Mark B. JonesAcademic Technology
University of Texas Health Science Center at Houston
![Page 2: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/2.jpg)
Ideally, individuals would each like a single digital credential that
can be securely used to authenticate his or her identity
anytime authentication of identity is required to secure any
transaction.
![Page 3: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/3.jpg)
• How do you prove you are who you say you are?
• How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong?
• If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you?
• It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication.
• Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace.
Identity and Authentication by Simon Rogerson
![Page 4: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/4.jpg)
UTHSC-H Strategic Authentication Goals
• Two authentication mechanisms.– Single university ID (UID) and password– Public Key Digital ID on Token (two-factor authentication)
• Digital Signatures– Authenticates senders– Guarantees messages are unaltered, i.e. message integrity– Provides for non-repudiation– Legal signature
• Encryption of email and other documents• Highly Secure Access Control• Potential for inherent global trust
![Page 5: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/5.jpg)
Plug n Play Authentication
• Programmatic Signed and Encrypted mail
• Plug n Play authentication with JSP
![Page 6: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/6.jpg)
Mass Mailing of Signed & Encrypted E-mail
Automated Mailer
Mailing List
[email protected]@[email protected] [email protected]
&Encrypted
LDAP Directory
Service
Request Recipient's
Digital Cert.
User SpecificMessages [email protected]
![Page 7: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/7.jpg)
Plug n Play Authentication
<% request.setAttribute("authenticationMethod","certificate"); %><% request.setAttribute(“authorizationGroup",“ADMIN_Staff"); %><%@ include file="/jsp/auth/AuthX.jsp" %>
• Application or Page level authX• Authentication Method (optional)
– Password (default)– Certificate
• Authorization Group (optional)– LDAP Group (with distributed group administration)
![Page 8: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/8.jpg)
Plug n Play Authentication
• Client requests a resource (URL)– Resource redirects to AuthX.jsp in cert. protected directory
• Web Server– requests client certificate– Validates client certificate– Parses email address from certificate and looks up the user in the directory– Compares the client certificate to the ‘userCertificate’ stored in the
directory based on the email address– Sets ‘Remote User’ to the ‘UID’ value from the directory– Allows client to access AuthX.jsp
• AuthX.jsp– Retrieves the ‘Remote User’ variable and assumes successful
authentication– Verifies that the user is in the authorization group if specified– Redirects back to the originally requested resource
![Page 9: Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston](https://reader036.vdocument.in/reader036/viewer/2022083004/56649dc45503460f94ab6433/html5/thumbnails/9.jpg)
ClientBrowser
Web Server
CertificateProtecteddirectory
HTTP Request
Directory
Resource(UserAdmin.jsp)
RequestUser Certificate
AuthX.jsp
CertificateValidation
Plug n Play Authentication