WIND

>> WIND Status | Synopsis | Documents | History

Synopsis

WIND is the Web Identification Network Daemon.
The intent of the WIND project is to develop a fourth generation web sign on platform. WIND is expected to be a protected re-entry sign on platform, meaning that a user may be challenged to reauthenticate whenever the authentication system deems it appropriate. The following are requirements of WIND:

Simplicity to users. Users must not be required to perform tasks any more complicated than they currently do (ie: remember a poorly chosen password). Advanced functionality may be available via more sophisticated tasks for savvy users, but basic functionality must meet this requirement.

No browser modifications. WIND must work with popular web browsers as they are configured by default.

High availability and redundancy. The implementation must be distributable across multiple servers to allow for appropriate scaling and reliability. No single points of failure are permitted.

Site neutral. WIND must not make any distinction between on campus and off campus, for both user location and location of services that may wish to authenticate against it. This applies for basic functionality only. Site location may be used in making policy decisions, such as when to require reauthentication.

IRAA! compliance. WIND must comply with the IRAA! requirements for a proxy authentication server. (In addition to the IRAA! query flags, WIND also supports a query aname=[KU] to indicate whether the Kerberos name (uni) should be returned, or whether the name passed to WIND at login should be Unmodified.
In compliance with the above requirements, the following scenario is under consideration:

User accesses web site requiring AcIS provided authentication.

The service redirects the user to the WIND server. The redirection may include information to incorporate restrictions over how the credentials may be used once obtained.

WIND optionally provides the user an opportunity to set restrictions on how the credentials may be used once obtained. Users may not override authorization restrictions, including by modification of the redirection URL.

User authenticates to WIND via a secure form. Upon successful authentication, WIND may choose to issue a cookie (and the user may choose to accept it) to effect a session. If the user has already authenticated, WIND may choose to deny authentication and force the user to reauthenticate in accordance with restrictions imposed on the session. If (new or renewal) authentication takes place, WIND records the user's identity and information (including restrictions) related to this authentication in an internal database. WIND then generates a specific validation credential and returns it to the web site requiring authentication.

The requesting service verifies the credential against the WIND server, which updates its database as appropriate. This verification is performed via a separate HTTPS transaction. There is currently no notion of "registered" services, as allowing arbitrary services to authenticate is no greater a security concern than allowing arbitrary services to authenticate directly to the Kerberos server. However, service registration could conceivably be required, and with it some manner to authenticate services requesting validation.

Restrictions on a credential may include the following:

Limited number of uses. A credential may be set to expire after an arbitrary number of uses.

Limited lifetime. A credential may be set to expire in a shorter amount of time than the default.

Service validity. A credential may be restricted to a subset of potential services. For example, a credential used to login to a web based email service might be scoped only for that service, and thus not valid to access student grade information.

Authorization. Unlike other restrictions, authorization restrictions are imposed when the specific use credential is validated. Upon successful verification of the credential, WIND will perform an authorization step in accordance with the requested query and local release rules.

Restrictions may be imposed by any of the following, in order of precedence:

WIND configuration. Restrictions may be associated with the service requesting the credentials.

User configuration. Users may be offered the option to adjust the restrictions when authenticating. Users may not set or modify authorization restrictions.

Site request. The site requesting authentication may also restrict what a credential may be used for.

For reasons of data integrity, each WIND host within a given site's installation will maintain its own database of valid credentials. Thus, when a user authenticates via WIND, any credentials issued may only be validated against the server which issued them. In the event one server becomes unavailable, the user may be required to reauthenticate against an available host.
In order to validate credentials successfully when more than one host is deployed, WIND will encode a hint in the credentials it generates. The format of the hint need be known only to WIND. The user's web browser or the site requesting authentication need only know the general published name of the WIND service, and need not know about specific hosts that are responding. If the browser or site connects to a host that does not have the user's credentials in its own database, the WIND server on that host will parse the hint and proxy the request to the correct host.
As more hosts are added, the overhead of a WIND verification transaction approaches two hops. The likelihood that the browser or site will connect to the correct host decreases as the number of hosts increases (with 2 hosts: 50%, with 3 hosts: 33%, etc), thus increasing the likelihood that a second connection (from the initial WIND host to the host with the information) will be required.
In the debate of Certificates vs. Tokens, the WIND approach favors tokens. While certificates may be verified off line, the authenticating service needs to maintain an appropriate CA public key and must correctly track use of junk certificates to prevent replay attacks. Tokens require on line verification and are a point of failure, but provide auditing of use, move the replay prevention to a central monitoring point, and require less user education (in comparison with personal certificates).
In the debate of Basic Auth vs Cookies, the WIND approach favors Basic Auth. Both offer essentially the same level of security. Basic Auth eliminates one level of complexity (session ID) at the expense of offering configuration options on the same screen as the login dialogue. However, Basic Auth cannot be reliably implemented, as browsers cache passwords until they are reentered (regardless of if the password has been rejected by the server).
WIND is based on Yale's Central Authentication Server.

Documents

Generic login page
Login page with authorization restriction
Interrealm login page
Advanced user login page
Draft Documentation
Sample Code Repository
WIND Status, Summer 2003

History

22 June 2001: Revise authorization restrictions, add multiple server info.
25 April 2001: Revised synopsis, added documents.
13 April 2001: Revised synopsis.
2 April 2001: Initial planning began.