3.12 Infrastructure Working Group

In addition to SIF messages and strictly infrastructure-related objects like SIF_ZoneStatus, the Infrastructure Working Group occasionally defines data model objects that either do not fall neatly within the purview of currently existing data model working groups (e.g. the Authentication object) or that can be provided by the ZIS and agents alike—typically metadata about a zone as opposed to data directly originating from the K-12 instructional and administrative environment (e.g. SIF_LogEntry).

3.12.1 Authentication

The Authentication object allows a system that stores usernames and/or passwords to share them with other applications through SIF. The provider of the Authentication object may only support providing a username or a password, or it may support both.

The Authentication object is also able to transmit a user's network identity through SIF. If the user has an account in a network directory system that supports LDAP, the user's distinguishedName or username is shared to uniquely identify the user to applications that support LDAP or native network authentication options.

Details of how to implement the password element are included below the object definition.

SIF_Events are reported for this object.
Authentication
Figure 3.12.1-1: Authentication Authentication RefId SIF_RefId SIF_RefObject AuthenticationInfo System Type Username DistinguishedName PasswordList Password Algorithm KeyName SIF_Metadata SIF_ExtendedElements
 Element/@AttributeCharDescriptionType
 Authentication 

The Authentication object allows a system that stores usernames and/or passwords to share them with other applications through SIF. The provider of the Authentication object may only support providing a username or a password, or it may support both.

The Authentication object is also able to transmit a user's network identity through SIF. If the user has an account in a network directory system that supports LDAP, the user's distinguishedName or username is shared to uniquely identify the user to applications that support LDAP or native network authentication options.

 		 
@
key		RefIdM

The SIF RefId that uniquely identifies this authentication object.

 		RefIdType
@SIF_RefIdM

The SIF RefId of a student or staff member

 		IdRefType
@SIF_RefObjectM

The type of SIF object that the SIF_RefId attribute identifies.

 		values:
StudentPersonal
StaffPersonal
StudentContact
EmployeePersonal
 AuthenticationInfoM

The authentication information for one system.

 		 
 AuthenticationInfo/System
     		M

An identifying string for the system that supports this authentication information.

 		xs:normalizedString
xs:maxLength255
@TypeM

Specific type of user identification.

 		values:
Network
Application
 AuthenticationInfo/Username
     		O

The identification string for this user.

 		xs:normalizedString
xs:maxLength64
 AuthenticationInfo/DistinguishedName
     		O

This is the distinguished name of the user in a network directory system.

 		xs:normalizedString
xs:maxLength255
 AuthenticationInfo/PasswordList
     		O

Allows a provider or publisher to specify the same password using multiple algorithms, if supported.

 		List
 AuthenticationInfo/PasswordList/
     Password		MR

A representation of the user's password using the given algorithm.

 		xs:base64Binary
xs:maxLength255
@AlgorithmM

The method used to encrypt the user's password. See the implementation details below.

 		values:
base64
MD5
SHA1
DES
TripleDES
RC2
AES
RSA
@KeyNameM

The name of the key to be used for decryption of the password. Left blank for plain, encoded text (Algorithm attribute value of "base64") and hash algorithms.

 		xs:normalizedString
xs:maxLength64
 SIF_MetadataO SIF_Metadata
 SIF_ExtendedElementsO SIF_ExtendedElements
Table 3.12.1-1: Authentication

3.12.1.1 Password Implementation Details

While Authentication objects transported over SIF HTTPS are typically secure in transit, SIF objects are often stored in logs and databases. If the network infrastructure is not secure, the passwords could be subject to snooping from system users. Because of this, the design of the Authentication object requires that passwords never be transmitted in plain text, to prevent casual viewing. The design of this object allows passwords to be securely encrypted using a variety of encryption algorithms.

Passwords in the Authentication object can be shared in one of three ways as documented in the sections below.

3.12.1.1.1 Encoded Text

Sharing a password using encoded text is a very insecure method, because it uses a well-known algorithm and the value is not encrypted. The only merit of using this method is that the password is not readable as plain text, and thus deters any casual attempt to read a password. To share passwords in this manner, the following steps must be followed:

  1. The publishing agent creates a Password element with the algorithm set to base64.
  2. The agent encodes the Unicode representation of the password using the UTF-8 encoding.
  3. The resulting binary value is then base64 encoded.
  4. Write the result as the payload of the Password element.
3.12.1.1.2 Hashed Text

Sharing a hashed text version of a password means that the original password is not shared. Clear text passwords are not retrievable from values stored as hashes. These hashed values can only be used to verify passwords input by a user.

What is shared is a cryptographically secure hash of the password. This hash allows other applications to verify a user's password when s/he logs in by comparing the hash value, not the original password. To share passwords in this manner, the following steps must be followed:

  1. The publishing agent creates a Password element with the algorithm set to MD5 or SHA1.
  2. The agent encodes the Unicode representation of the password using the UTF-8 encoding.
  3. Hash the resulting binary value with the chosen hash algorithm.
  4. Encode the binary result using base64 encoding.
  5. Write the result as the payload of the Password element.
3.12.1.1.3 Encrypted Text

Sharing a password using encrypted text can be very secure. The key being used to encrypt the data should be known only to the applications. The KeyName attribute is used to allow agents to uniquely identify keys that are being used. To share passwords in this manner, the following steps must be followed:

  1. The publishing agent creates a Password element with the algorithm set to DES, TripleDES, RC2, or AES.
  2. The agent encodes the Unicode representation of the password using the UTF-8 encoding.
  3. Generate a cryptographically secure Initialization Vector (IV).
  4. Configure the encryption algorithm to use a cipher mode of CBC.
  5. Configure the encryption algorithm to use a block size of 64 bits (8 bytes).
  6. Configure the encryption algorithm to use the generated IV.
  7. Configure the encryption algorithm to use the specified key for encryption.
  8. Configure the encryption algorithm to use PKCS#7/PKCS#5 padding mode.
  9. Encrypt the binary representation of the password that was generated in step 2.
  10. Encode the binary result using base64 encoding.
  11. Write the result as the payload of the Password element.
3.12.1.1.3.1 Example Keys

The XML in the Authentication example can be used to verify an agent's implementation of any of the published algorithms. The password being shared for the sake of the example is ¿sècrèt. High-Unicode characters are being used in this example to validate proper encoding. The actual Unicode characters are: U+00BF, U+0073, U+00E8, U+0063, U+0072, U+00E8, U+0074.

The encryption keys being used are as follows (in base 64 format)

Key NameKey (in base64 format)
64-BIT_KEYdW7SKzwdn0Q=
128-BIT_KEYTcdilmUZ6qvbmegl2it2pA==
192-BIT_KEYmECbXMo+fOMWRwam7tyUEE59jbO9O0Z4

NOTE: Real-world implementations of password sharing should use keys other than the ones used for this documentation. These keys are provided for example's sake only. Keys should be generated using a secure cryptographic key generator.

<Authentication RefId="4286194F43ED43C18EE2F0A27C4BEF86" SIF_RefId="23B08571E4D645C3B82A3E52E5349925" SIF_RefObject="StudentPersonal"> <AuthenticationInfo> <System Type="Network">NetworkSystem</System> <Username>User01</Username> <DistinguishedName>cn=User01, cn=Users, dc=sifinfo, dc=org</DistinguishedName> <PasswordList> <Password Algorithm="SHA1" KeyName="SHA1">1zKHIKRoPb3y0gZLJnFhQspdevg=</Password> <Password Algorithm="MD5" KeyName="MD5">IwErjiNuanYLAmyFwyulPg==</Password> <Password Algorithm="base64" KeyName="BASE64">wr9zw6hjcsOodA==</Password> <Password Algorithm="DES" KeyName="64-BIT_KEY">6XSjrzAgkrd41Nzb61w5vwuqzKsQbybL</Password> <Password Algorithm="RC2" KeyName="128-BIT_KEY">jqCzWFS38Xs7tx7v2ksa01TrFhBnixI8</Password> <Password Algorithm="TripleDES" KeyName="192-BIT_KEY">msf17ucBbhN44uJpXTGGfI3twSR/cS/u</Password> </PasswordList> </AuthenticationInfo> </Authentication>
Example 3.12.1-1: Authentication

Valid XHTML 1.0 Transitional