Overview

Today's IT service architectures are expected to provide a high level of security as well as centralised, modern user management. In addition to secure communication, authentication of users and services is important. Up to now, mainly password-based procedures have been used for authentication. However, a new trend is now moving towards "passwordless" techniques, which, although still rare, are being used more frequently. They are easy to use and meet the same IT security requirements as password-based procedures.

As part of a DTLab project, a prototype was developed for the IT department (RIT) of the City of Munich to demonstrate the joint use of the FIDO2 standard and the authentication system for web-based services, OpenID Connect. In addition, a modern framework was evaluated for communication between microservices with SPIFFE/SPIRE, with the aim of enabling secure end-to-end communication between services. Four student teams from the Master's degree in IT Security at HM Hochschule München University of Applied Sciences were involved in the project.

Problem

The use of usernames and passwords has been a major problem for decades. They do not offer 100% protection and attackers can easily find them out through malware or so-called "social engineering" attacks and thus obtain users' personal information. For this reason, the FIDO2 standard was developed. It offers modern authentication based on hardware and software tokens. However, FIDO2 does not describe how these technologies should be integrated into existing authentication frameworks and into the processes of an organisation. Therefore, the following questions had to be answered within the scope of this project:

• How can FIDO2 be used in combination with OpenID Connect?
• What technical processes are necessary so that employees can easily create a new user account?
• How can a portal be set up for self-administration?

In addition to communication with the end user, today's applications often make use of a so-called "microservice" architecture. From an IT security perspective, however, the problem here is often that applications do not authenticate strongly against each other or even lack authentication. The SPIFFE/SPIRE framework offers a possibility to carry out this authentication on a "microservice" level.

Solution approach and results

The project groups developed a sample application based on a "microservice" architecture. The sample application is a web application that communicates with a database. The applications ran in a self-powered Kubernetes environment as a container. The open-source project Keycloak was used as the identity management solution.

Project group 1 dealt with the topic of "identities" and built a central instance of Keycloak. Various processes were technically implemented to show how modern user authentication can work without username and password. Processes such as the loss of FIDO2 tokens or the addition of further FIDO2 tokens were also considered.

The architecture and operation of the infrastructure based on Kubernetes in AWS was realised by project group 2. A SPIFFE/SPIRE environment was implemented and the individual services were equipped with strong authentication features. This ensured that only trusted instances were allowed to communicate with each other.

Project group 3 dealt with the actual application and developed a "single page" web application. This web application was deployed directly to the AWS environment via Gitlab and uses Keycloak for user management and authentication.

During the project, a weak point was identified in Keycloak. It was reported to the software company Red Hat and the CVE number CVE-2021-3632 was assigned. The student team provided a solution for it, which was published by Red Hat.

Prototypes

The individual prototypes were published on the Seclab GitHub account.