In the run-up to the Black Hat meeting next week in ORT, hackers have announced that they will pulic demonstrate how to compromise the password storage system used by Firefox in its popular browser. Using so-called cross site scripting attacks (XSS), they want to prove that storing passwords locally is inherently dangerous. Well, so what else is new? The real question is: How can we make Single Sign-On (SSO) safe? The answer is: You can do it – but it won’t be easy.
Fundamentally, the issue revolves around the proper storage of credentials. Most enterprise-scale SSO solutions in use today hoard passwords in central repository. But just how secure are these digital warehouses?
Granted, it’s easier to guard sensitive information in a central server than on distributed clients. Local password storage, on the other hand, involves encryption, and the browser or password manager has to be able to decipher them, so they need to know the appropriate keys. Since the whole point is to automate the process so the user doesn’t have to remember all those complicated combinations of digits, marks and characters, the key itself has to be stored in the system, too. And no matter how hard you try to hide them and how many layers of access control you use, keys on your hard disk are always going to be a major risk.
So why not use extra hardware? Tokens, Smartcards and USB sticks are routinely used today to store the necessary credentials. TPMs (Trusted Platform Modules) are also a good way to protect your system. However, cheap, low-end solutions generally don’t cut it.
Another problem lies in the wide-spread use of what we at Kuppinger Cole often refer to as “pseudo SSO” which still require various user names, passwords and other credentials. True SSO, on the other hand, calls for such robust mechanisms as Kerberos or Identity federation, both of which allow for strong central authentication. In the case of ID Federation, this is handles through the so-called Identity provider. Kerberos relies on the KDC (Key Distribution Center). Both can draw on Microsoft’s Active Directory, but this also means that AD security takes on crucial importance. For instance, where are the domain controllers located and is access to the rooms strictly monitored? Is your Windows environment protected by PAM (Privileged User Management) for all administrators?
The applications themselves should ideally only receive an (encrypted) message confirming the user’s successful authentication in the form of a software token containing all the necessary information. In this case, a single password is enough.
Federation is obviously the way to go in the future. Since it is based on Web Services it will also function beyond the confines of the enterprise and on the Internet, and popular support for the principle has been growing in recent years. Kerberos, on the other hand, remains the primary authentication system for corporate networks and intranets where Kerberos-ready applications already thrive.
The hard truth remains: If you really want to get it right, then storing passwords in your browser, be it Firefox or any other, is simply not an option and should be either forbidden or disabled. Only then can you rest assured that Single Sign-On will work for you – and not turn into another security nightmare.