Pawn:KeyStore Roles
From Adapt
Overview
Security in PAWN uses SAML Tokens in combination with X509 certificates to authenticate and authorize clients. Using SAML Tokens, a client signs onto a producer using any authentication they wish, currently only username/password is supported, and is issued a limited-life token that contains authorization information about the client. The client can present the token along with proof of ownership for the token and use any service that recognizes the producer as valid.
Call Details
- Client connects, authenticates to the pawn manager, presents certificate to the manager. The call should be signed w/ client private key to prevent tampering (TBD). An attacker would need to get a compromised keypair signed by appropriate CA in addition to username / password for an account to compromise.
- Producer creates assertion, embeds presented certificate and roles in assertion, then signs with it's private key. Client then validates assertion against local producer cert to ensure no tampering has occured.
- On a call to any other service, a client presents issued token and signs message with it's private key. At the service, the message signature is compared to embedded token cert as proof for holder-of-key confirmation method, in addition, the producer signing the assertion is also checked against a local cache to see if it is a trusted issuer.
Keystore Details
The following keystores are needed at each party
Client
- Private key / signed public[1] - used to sign saml-authenticated messages
- producer certificate - verify saml token received from producer
Issuer/Producer
- Private key / signed public[1] - used to sign saml tokens sent to client
Service
- Private key / signed public
- Each trusted producer/token issuer - to verify validity of certificates presented by client
- Any CA certificates used for signing - to verity certificate path
[1] signed by common ca
-- Main.MikeSmorul - 20 Jul 2005
