Core Security Patterns Weblog

Last night, I had the opportunity to present at an OWASP event @Hartford, CT.  James McGovern, a long-time buddy of mine organized this event at one of the Hartford skyscrappers – What a great view !  I had contributed code artifacts to OWASP projects before, but it was the first time I had a chance to attend an OWASP event. Amazing to see..it was an enthusiastic crowd with a lot of focus on the emerging trends in IT security.  I took a small piece of the IT puzzle.. to present  a topic on “Multi-factor Authentication” and then a demo showing OpenSSO w. PKI/Biometric authentication. It was a well-organized event and I saw a lot of interests around OpenSSO.

As promised, here is my slides for your reading pleasure. Enjoy.

Not a shameless promotion – I came to know from multiple feedback and praises from the people who took the Sun Certified Enterprise Architect exam.  Core Security patterns is overwhelmingly suggested as a reference text for ”Section 8 – Security” of Sun Certified Enterprise Architect for Java EE5 exam.

 Section 8: Security

• Explain the client-side security model for the Java SE environment, including the Web Start and applet deployment modes.
• Given an architectural system specification, select appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features
• Identify and classify potential threats to a system and describe how a given architecture will address the threats.
• Describe the commonly used declarative and programmatic methods used to secure applications built on the Java EE platform, for example use of deployment descriptors and JAAS.

Absolutely…. “Core Security Patterns” provides INDEPTH coverage on the above topics with detailed examples.  You can certainly rely on that for “Section 8 – Security” of SCEA.

Congratulations to those who become SCEA and Goodluck for those aspiring to become SCEA.  Thanks for all the feedback…Please do keep us posted.

I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production.

Now, getting down to the specifics – Putting it all together, in simpler terms you will see the solution would look like this…..

Ofcourse the Desktop can be your PC or Sun Ray or anything that capable of running a browser and allows plugin a Biometric Fingerprint Scanner (USB device). If you look into the ingredients of this solution, you would need the following:

1. OpenSSO Enterprise 8
2. Glassfish V2 Enterprise (Configured to use NSS for FIPS mode)
3. BiObex Middleware (Biometric enrollment and authentication provider)
4. SecuGen Hamster IV (FIPS-201) or Hamster Plus Fingerprint Scanners.
5. BiometricLoginModule (Currently made available through BiObex).
6. OpenSSO policy agent (based on your target web container) to help enforce authentication on your protected resources.

Here is my quick presentation that digs deeper into the architecture and deployment steps for enabling Biometric SSO using OpenSSO and BiObex.

For those curious to know ….and concerned about security of using Biometrics as a network credential…here is my answer to those known security issues.

1. The communication, callbacks and biometric samples acquired from the device (In transit to the JAAS LoginModule and then to Biometric authentication provider)  has been cryptographically protected ensuring a trusted path with both transport and message-level security (as per FIPS-140 requirements). This ensures end-to-end confidentiality and integrity of the messages/communication and thwarts image capture, rogue injection and replay attacks.
2. The user session is verified for proof-of-origin that includes host verification and validation for known IPs and hostnames.
3. The deployment requires authentication chain with username/password or Certificate authentication (ex. Smartcard PKI) modules to ensure Biometric authentication is used as a second or third factor of the authentication.
4. OpenSSO callbacks prompt for random fingerprints as enrolled in BiObex.

Multi-factor Authentication Chain : OpenSSO and BiObex

Biometric SSO allows users to access multiple applications (for example, Java EE or Web portal applications) after doing a single biometric authentication. In this case, the biometric authentication is managed by the identity provider infrastructure (ex. OpenSSO) that provides single sign-on services to support participating applications (protected resources). The identity provider encapsulates and protects access by making use of pluggable authentication modules (including a JAAS LoginModule for the Biometric authentication provider) from authentication providers. Upon authentication, the identity provider issues an SSO token that is trusted by all participating applications. This means the identity provider grants or denies access to the secured application or resource by issuing an SSO token that represents the user’s sign-on and session information. All participating applications trust the SSO token issued by the identity provider and grant the caller request to proceed for further processing based on the policies and privileges.

OpenSSO provides JAAS based authentication framework for plugging in JAAS LoginModules (from authentication providers) and also allows enabling multi-factor authentication through OpenSSO authentication chaining and session upgrade features. Refer to OpenSSO Administrator guide for the finer details.

Few weeks ago, I posted another entry on Match-to-Smartcard PKI and Biometric authentication which is a different solution that makes use of Biometric information (CBEFF) stored on a PIV card. I am still working on the documentation….will keep you posted very soon.

Last few months, I was passionately busy working on an interesting project opportunity …to implement a biometric authentication module for a security sensitive J2EE application (Sorry…don’t ask who is the customer ). Ofcourse, the target is a die-hard Sun customer who believed on us -not- that armed contractor. They suggested me to use CrossMatch Verifier-E Fingerprint scanner and BioBex middleware for supporting biometric enrollment and authentication.  I also lucky  to work together with a good friend of mine from Finland “Tuomo Lampinen”…I should credit him here – he taught me the ABCs of Biometrics.  I lost hopes initially..as there is no easy way to initiate/receive the JAAS callbacks to/from biometric device and then convert it to web-based text callbacks to perform actual authentication with the biometric middleware. The complexities goes even a bit more  harder, when you want to make a browser plugin to handle the device callbacks.  After trial-and-errors with several callback mechanisms (believe me,…at some point I lost all my hopes) – Finally, It worked without any hacks. Way cool, I even performed multi-factor authentication by combining with another JAAS LoginModule we built for using PKI/digital certificates.

If you are curious to know the secrets – Couple of days ago, Reid Williams and I did deliver a session at JavaONE  entitled ” Biometric Authentication for J2EE Applications” and we also demonstrated it.  You may also interested to read my follow-on article “Building Biometric Authentication for J2EE, Web and Enterprise Applications“.

Enjoy.