thrashor

inside the man

Friday, May 20, 2005

A real (beta) example of an Ajax enabled security mechanism

Hot on the heals of my musings about the potential of Ajax to transform secure web communications, the OpenID project was brought to my attention - thanks Jeremiah.

What OpenID essentially is, is a protocol that allows a user to go to a foriegn site and quite easily request that her home site provide her identifying information to the foriegn site. In order for the transaction to succeed, the user must tell her home site to release her information to the foriegn site. This way the foriegn site never has to handle the user's credentials but can choose to to trust, or not trust, the identifying information provided from the user's home site.

While an OpenID user can carry out an OpenID transaction using classic HTTP, OpenID implementations require Ajax support. There are Ajax and a classic HTTP demos up here. All of this from Danga, the folks who brought us LiveJournal.

OpenID will require some careful analysis from the security community before its degree of security is well understood (remember that SSL 1.0 never saw the light of day due to serious flaws). To support this end, Imran Ghory posted the following formalization of the protocol to the yadis mailing list today:
The format I've used is

Source
---------> Information being sent
Destination.

I've used various other bits of notation 
(for example information being sent is 
prefixed by the name of whoever generated 
the data so the flow of information can be 
seen) but hopefully it's mostly self-
explanatory.

So here it is:

User 
---------> User_server_url
Consumer


Consumer
---------> User_server_url
---------> Consumer_Request_for_id_server_url
User-site


User-site
---------> User-site_id_server_url
Consumer


Consumer
---------> User-site_id_server_url
---------> consumer_nonce
---------> consumer_return_to_url
---------> consumer_trust_root_url
---------> user_server_url
User


User
---------> consumer_nonce
---------> consumer_return_to_url
---------> consumer_trust_root_url
---------> user_server_url
id-server


id-server
---------> user_server_url
---------> consumer_return_to_url
---------> consumer_nonce
---------> id-server_timestamp
---------> id-server_signed
--------->              (id-server_timestamp, 
--------->               user_server_url, 
--------->               consumer_return_to_url,
--------->               consumer nonce)
User


User
---------> user_server_url
---------> consumer_return_to_url
---------> consumer_nonce
---------> id-server_timestamp
---------> id-server_signed
--------->              (id-server_timestamp, 
--------->               user_server_url, 
--------->               consumer_return_to_url,
--------->               consumer nonce)
Consumer

While we await the security verdict, OpenID remains a perfect example of providing new capabilities by breaking out of the "use SSL and you're done" web app security rut. The transformational potential of this sort of federated single sign-on system is tremendous.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter