Web Login Security
Securing web login: using cryptography to control access & use
What is web login?
Web login is a procedure that is often implemented when a web site provider wishes to control access to all, or a specific part of a web site that is accessible through the public Internet.
There are three ways in which web login can work.
The first is the same as web page login, where the user is asked to enter an identity and a password.
Apart from the problems discussed in the article on web page login, there are the ‘traditional’ difficulties of choosing good passwords that are resistant to hackers, changing them often enough that they are not likely to be captured, and persuading their users not to give them to others, either deliberately or accidentally.
The second is using an approach proposed by a committee of OASIS, called Security Assertion Markup Language (SAML), further information on which may be found through this link. The idea of SAML is that a ‘user’ is given some ‘rights’ by some central authority, and that these rights are declared seamlessly to each organization they deal with over the Internet, and that each organization can figure out how to interpret those rights in their own context.
This article does not intend to review the SAML specification in technical detail, but rather to consider some of the fundamentals of the SAML/XML based approach being proposed.
Underpinning SAML is a technology referred to as X.509, which requires the presence of a full-scale PKI (public key infrastructure) service for it to be implemented. We could refer you to many articles on the subject of the feasibility of the PKI (see ArticSoft information security) but the simplest points to note are that to date there has been no successful implementation of PKI for the public there is no agreement about the recognition of the authority of a PKI user outside the domain that authorized them (would you let Verisign authorize who can use your information? for instance) and questions of legal liability when something goes wrong are uncertain and remain to be tested in the courts.
It is also important to note that SAML should not be confused with another XML based technology, XrML, a completely separate development aimed at implementing digital rights management (DRM) controls into information being used on the Internet. It is not clear if these two technologies can coexist peacefully inside the same information, but it is clear that they were not designed to interoperate in any way.
The third way is using a single sign on mechanism. Microsoft went for a single sign on approach with their implementation of Passport where a user could login to their ‘passport’ and then view protected areas on other sites operating the passport system without having to logon again (assuming they are allowed to, the web site owner has not enforced a logon, and the user has enabled tracking cookies). However, all login credentials are held with Microsoft on a central server and given Microsofts track record in security the system, not suprisingly, was not widely implemented. In fact there have been well publicised security breaches of the passport system.
The fourth and best way to implement web login is to use a service where a cryptographic key is securely locked to a specific user’s computer, and is accessed transparently through the application needed to handle information that can only be accessed using web login. DRM controls can be enforced in a standardized manner, with each information provider being able to select the controls appropriate to their own requirements. This kind of approach has many benefits:
- there are no passwords for people to try and remember (or succeed in forgetting)
- passwords cannot be given away or stolen
- use of content can be controlled (printing, expiry, etc.) – not just access to content
- content can be encrypted as part of the overall system rather than requiring separate processes and applications and the difficulties of managing them
- revocation of access can stop use of previously stored or cached pages, rather than being limited to new information being downloaded.