OpenID & Information Card Profiles for ICAM John Bradley

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

AUTHENTICATION AND KEY DISTRIBUTION

Chapter 14 – Authentication Applications

NETWORK SECURITY.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

2010 OpenID UX Summit AOL Status & Plans George Fletcher Fady Semaan Joel Schnee.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CP3397 ECommerce.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Cryptography and Network Security

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

By: Ansuya Chauhan.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Cryptography and Network Security Chapter 17

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Chapter 8 Web Security.

Web services security I

Troubleshooting Federation, AD FS 2.0, and More…

CSCI 6962: Server-side Design and Programming

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Remotely authenticating against the Service Framework.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Identity Management Report By Jean Carreon and Marlon Gonzales.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Network Security Essentials Chapter 5

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Chapter 21 Distributed System Security Copyright © 2008.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Fall 2006CS 395: Computer Security1 Key Management.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

Secure Sockets Layer (SSL)

Electronic Payment Security Technologies

Presentation transcript:

openID & Information Card Profiles for ICAM John Bradley

Information Card (IMI) IMI 1.0 is an OASIS Standard Profile of WS-Federation Requires a browser extension Profile for LoA _Profile.pdf 10_Profile.pdf

openID openID 2.0 is a openID Foindation (OIDF) spec openID discovery XRDS is a OASIS XRI-TC spec Profile for LoA 1 nID20Profile.pdf nID20Profile.pdf

Authentication Process Attacks/Threats Threat Resistance Requirements Level 1 Level 2 Level 3 Level 4 Session hijacking NoYesYesYes EavesdroppingNoYesYesYes Phishing/pharming(verifier impersonation) NoNoYesYes Man in the middle NoWeakWeakStrong Denial of service/flooding NoNoNoNo

Out of Scope Verification of assertion attributes

IMI Profile Token type SAML 1.1 (SAML 2.0 and Zero Knowledge will be added later) IdP issued tokens only. (Self issued p-card tokens will be a separate profile) Audience Restriction RP must be a SSL protected endpoint The SAML token is audience restricted and encrypted with the public key of the RP by the issuer.

Private Personal Identifier er er LoA Claims Card Authentication Username/PasswordX.509 Personal Card Kerberos token

OpenID Profile mitigations Assertion reuse Assertions include a timestamp and a nonce which is checked by the RP. The RP keeps track of assertions that were consumed Assertion manufacture/modification IdPs digitally sign assertion, or assertion is transmitted over TLS/SSL where the RP authenticates the IdP via a HMAC shared secret. Assertion redirect The signed assertion includes the identity (return_to) of the RP for whom it was generated, and the RP verifies it.

Identifiers Must be Pair-wise Pseudonymous by RP The pseudonym is used to identify the user to the RP in a way that protects the user's privacy by preventing correlation among RPs. The RP is identified by its realm. Must use Directed identity.

Associations Must be over SSL Should be HMAC-SHA256 The IdP shall expire associations older than 24h The IdP shall not reuse associations between RPs The RP must key association handles by IdP

OpenID Provider Authentication Policy (PAPE) Authentication Policies Used by RPs to request aspects of a profile ms/privatepersonalidentifier ms/privatepersonalidentifier Maximum Authentication Age Used to guarantee a fresh interactive login.

Relying Party Discovery The RP MUST publish an eXtensible Resource Descriptor Sequence (XRDS) discovery document for its realm per [OpenID 2.0] Section 13. The XRDS MUST be published at the URL matching the realm. The URI for the XRDS document that is discovered via Yadis MUST have an https: scheme. The IdP MUST perform RP discovery and return_to validation per [OpenID 2.0] Section If return_to validation fails, the IdP MUST return an error, or the IdP MAY present an error message and discontinue the OpenID authentication process.

Assertion Verification The RP MUST verify that all of the following fields (without the "openid." prefix prepended) are included in the IdP signature: op_endpoint, return_to, response_nonce, assoc_handle, claimed_id, and identity. All OpenID extensions MUST be signed by the IdP. The RP MUST check the openid.response_nonce to make sure that an assertion from the IdP with this nonce has not already been used. It is RECOMMENDED that the RP set a restriction on the amount of elapsed time from the timestamp in the nonce until receipt. The RP MUST check the return_to value in the assertion to verify that the assertion was produced for the RP.

Assertion Verification The openid.identity and openid.claimed_id MUST be the same with the exception of a fragment that may be appended to the openid.claimed_id. The RP MAY use "Direct Verification" to validate the assertion when: 1. The IdP includes an openid.invalidate_handle indicating that the association has expired. 2. The IdP sends an unsolicited assertion

Security Considerations TLS/SSLv3 MUST be used at all endpoints, discovery redirects, and the URI of the XRDS document. The RP SHOULD negotiate a cipher suite that includes either Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES) during the SSL/TSL handshake. NIST encourages use of the faster and stronger AES algorithm. The RP MUST verify that the IdP is authorized LOA 1 IdP through verification of URL endpoints and server certificates during discovery and Direct Communication (see [OpenID 2.0] Section 5.1). During Direct Communication, the RP MUST check the revocation status of the IdP server certificate.

Security Considerations The RP and IdP SHOULD employ frame busting techniques to avoid possible eavesdropping by a third-party web site, and cross site request forgery. The RP MUST reject any assertion where openid.ns is other than

Questions?

openID history May 2005 invented by Brad Fitzpatric at SixApart (LiveJournal) Oct 2005 XRDS March 2006 Simple Registration 1.0 (JainRain) May 2006 openID 1.1 Dec 2007 openID 2.0 and Atribute Exchange 1.0

openID Providers GoogleYahooAOLMySpacePayPalJanRain Orange (France Telecom) Facebook (soon)

openID Relying Partys FaceBook MapQuest (AOL) Plaxo Blogger (Google) TypePad (Six Apart)