The GateKeeper authentication token

See Also :

Summary :

The purpose of GateKeeper is to authenticate end user U into web application WA. Such authentication involve a "trusted" authentication portail AP and happens in 2 steps :

  1. U authenticates with AP by means of SRP password based authentication.
  2. AP delivers to U a "tamper proof" authentication token TOK that grants him access to WA.

TOK is a xml file signed by AP that contains :

  1. A timed proof of the successful authentication of U by AP.
  2. Some informations that relates to the current connection in between the end user browser UB and WA.

In case of a WA that operates over https, a valid TOK provides guarantee that the "real" user is directly connected to the real WA.

Token content :

<?xml version="1.0" encoding="utf-8"?>
 <auth-token>
  <data>
   <origin>http://gkauth.site.com</origin>
   <userid>uid</userid>
   <auth-method>up</auth-method>
   <auth-time>timestamp</auth-time>
   <session-key>abcdef0123456789</session-key>
   <connection>
    <auth-request-url>https://www.webapplication.com/path/to/authentication/request</auth-request-url>
    <token-validation-url>https://www.webapplication.com/path/to/token/validation/url</token-validation-url>
    <certificate-digest>hexencoded sha1 of received web app certificate</certificate-digest>
   </connection>
  </data>
  <signature type="hmac">
    hexencoded of hmac of data calculated with K_wa
  </signature>
 </auth-token>

description :

  • origin : provided by AP
  • userid : corresponds to current authentication session.
  • auth-method : provided by AP
  • auth-time : unix time at which AP starts generating authentication token.
  • session-key : K_uas derived from SRP shared key (See authentication protocol, 4 )
  • auth-request-url : provided by UB
  • token-validation-url : provided by UB
  • certificate-digest : provided by UB
  • signature : Calculated on <data> </data> content including opening and closing tag. The Key used is long term K_wam

Token transport :

  • TOK is returned by AP to user browser UB encrypted with K_wa and with K_ua : {{TOK}}
  • UB decrypts {{TOK}} using K_ua : {TOK}
  • UB submits {TOK} to WA.
  • WA decrypts {TOK} using K_wa and proceeds with final validation.

Token validation :

WA is ultimately responsible for validating TOK. It shall know accurately the connection information which shall appears in TOK, if the end user is in direct contact with it. ( MITM relay detection and avoidance...)

  • Checks that current-time is at +- x minutes of auth-time.
  • Checks that origin is trusted.
  • Checks that auth-request-url is as expected.
  • Checks that token-validation-url is as expected.
  • Checks that certificate-digest is as expected.
  • Checks that signature matches the received data.

Terminates with error, if any of those does not matches.