CAS4/CAS5, What is in TGT and ST?

[Yan Zhou]

Hello,

is there any user info. being stored in TGT and ST?  I would think so, I see Authentication being part of TGT.

Due to some security policy, we are asked whether we need to encrypt TGT and ST, because there is User Auth info., it sounds like we should encrypt it. 

Does that sound right? Thanks,

Yan

[Ray Bon]

Yan,

The TGT stays on the cas server and the ticket storage system. It stores the user session details. The TGC is sent to the browser. It is just an identifier for cas to find a TGT.

The ST is just an identifier and stores no info.

See https://apereo.github.io/cas/6.2.x/planning/Security-Guide.html#protocol-ticket-encryption, for encryption options.

Ray

On Thu, 2020-11-19 at 14:07 -0800, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Yan Zhou]

Hi Ray, 

Thanks for the info.,  We use both CAS4/CAS5 in production.

Due to our security policy, we need to encrypt anything having user info. (even in the backend), this means we need to encrypt TGT in the ticket storage.  Otherwise, someone on our network can intercept the traffic between CAS and hazelcast registry and misuse the TGT coming across the wire. As I understand, CAS4 does NOT support encrypting TGT, that capability is new in CAS5.  

For both CAS4/CAS5, what has been encrypted and secured is the TGC (the thing that is sent to browser).   But our security policy requires even the backend be encrypted, as long as it has user info.  

With CAS5, we can do that, but with CAS4, that is not possible (the only alternative it to use secure channel to store/read TGT). 

Sounds right?

Yan

[Ray Bon]

Yan,

That sounds right. It has been a while since I used those versions of cas.

I know that with cas 6 there are properties for ticket encryption, and they have to be set.

What is preventing you from upgrading?

Is cas 5 still supported? What about the java versions and host OS, are they supported?

This older software is the type of place where unauthorized users can gain access.

If your management insists that data be encrypted, they should provide you with the resources to keep this software current. 

Upgrade and you will be able to meet the security policy requirements.

Remember, cas is THE point of security to all your apps.

Ray

[Yan Zhou]

thanks a lot for reply.

We have customized CAS flow and added additional flows. So, upgrading means to move all this over,  we are actually upgrading to CAS5 already.  

CAS5 does support encryption. I do not see we need to move to CAS6 to satisfy security requirements. 

CAS4 does not support encryption, so we have to use secure channel to protect communication (since we cannot encrypt data).

Please correct me If I missed anything. 

Thanks,

Yan