1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, © Ravi Sandhu World-Leading Research with Real-World Impact! CS 6393 Lecture 5
© Ravi Sandhu 2 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle
© Ravi Sandhu 3 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle Private Key Public Key Private Key Public Key Private Key Public Key Signature: done by Private Key, Verified by Public Key Encryption: done by Public Key, Decrypted by Private Key
© Ravi Sandhu 4 World-Leading Research with Real-World Impact! The Web Today VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE How to get a public key? Digital Certificates Guarantees authentication and integrity But how does one verify this signature Need another Public Key PKI: Public Key Infrastructure
© Ravi Sandhu 5 World-Leading Research with Real-World Impact! The Web Today X Q A R ST CEGIKMO abcdefghijklmnop Multi-rooted Certificate Hierarchy Root certificates are weakly protected in today’s browsers
© Ravi Sandhu 6 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Eliminates man-in-the-middle in the network. Remains vulnerable to man-in-the- browser and man-in-the-PC Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key
© Ravi Sandhu 7 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root User ID, Password ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root Client’s Private Key Public Key
© Ravi Sandhu 8 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key Store and use in well protected server hardware security module (HSM) Store as password protected and use in insecure PC Store and use in smartcard Store and use in Trusted Platform Module (TPM)
One authenticator for each client Protected by one or more additional factors Usable by every RP who trusts the client’s root Built-in out-of-the box Single Sign-On (SSO) Massive expense by US DoD on Common Access Card © Ravi Sandhu 9 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards)
© Ravi Sandhu 10 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos also TGS Client c {T c,tgs, K c,tgs } K c 1 2 Symmetric Key Technology Client password -> client symmetric key Kc Stored client symmetric key Kc
© Ravi Sandhu 11 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Symmetric Key Technology TGS ClientServer {T c,s, K c,s } K c,tgs T c,tgs, A c,tgs, s T c,s, A c,s
© Ravi Sandhu 12 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos Realm 1 Kerberos Realm 2 shared symmetric key public-private keys clientserver
Successful in Enterprise SSO Scales to 10’s or 100’s of thousands of users Microsoft Active Directory login is based on Kerberos Inter-realm rarely deployed © Ravi Sandhu 13 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward)
© Ravi Sandhu 14 World-Leading Research with Real-World Impact! Microsoft SSO (1990’s) Failed
© Ravi Sandhu 15 World-Leading Research with Real-World Impact! Microsoft Infocard Identity Ecosystem (2000’s) Failed
© Ravi Sandhu 16 World-Leading Research with Real-World Impact! Liberty Alliance (2000’s) Failed
© Ravi Sandhu 17 World-Leading Research with Real-World Impact! OpenID (2000’s) Failing
© Ravi Sandhu 18 World-Leading Research with Real-World Impact! NSTIC (2010’s)