1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013

Slides:



Advertisements
Similar presentations
The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
Advertisements

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 9 Deploying IIS and Active Directory Certificate Services
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
Troubleshooting Federation, AD FS 2.0, and More…
Kittiphan Techakittiroj (24/08/58 22:49 น. 24/08/58 22:49 น. 24/08/58 22:49 น.) Digital Certification Kittiphan Techakittiroj
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
Cryptography and Network Security Chapter 14 Authentication Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed and extended by.
1 Virtualization Prof. Ravi Sandhu Executive Director and Endowed Chair February 7, © Ravi Sandhu World-Leading.
Module 9: Fundamentals of Securing Network Communication.
Single Sign-On
Authentication 3: On The Internet. 2 Readings URL attacks
1 The Quest for Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 8, © Ravi Sandhu.
1 Cloud Computing and Security Prof. Ravi Sandhu Executive Director and Endowed Chair April 19, © Ravi Sandhu.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
1 Panel on Data Usage Management: Technology or Regulation? Prof. Ravi Sandhu Executive Director and Endowed Chair DUMA 2013 May 23, 2013
KERBEROS SYSTEM Kumar Madugula.
1 Security and Privacy in Human-Centric Computing and Big Data Management Prof. Ravi Sandhu Executive Director and Endowed Chair CODASPY 2013 February.
1 Open Discussion PSOSM 2012 Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
1 Views of Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair March 25, © Ravi Sandhu.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
1 Secure Cloud Computing: A Research Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair Texas Fresh Air Big Data and Data Analytics Conference.
Symmetric Cryptography
Asymmetric Cryptography
What can Technologists learn from the History of the Internet?
Message Security, User Authentication, and Key Management
Cryptography Basics and Symmetric Cryptography
Authentication by Passwords
Challenge-Response Authentication
Asymmetric Cryptography
Public-Key Certificates
Security and Privacy in the Age of the Internet of Things:
Authentication and Authorization Federation
Executive Director and Endowed Chair
Install AD Certificate Services
Challenge-Response Authentication
Presentation transcript:

1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, © Ravi Sandhu World-Leading Research with Real-World Impact! CS 6393 Lecture 5

© Ravi Sandhu 2 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle

© Ravi Sandhu 3 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle Private Key Public Key Private Key Public Key Private Key Public Key Signature: done by Private Key, Verified by Public Key Encryption: done by Public Key, Decrypted by Private Key

© Ravi Sandhu 4 World-Leading Research with Real-World Impact! The Web Today VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE How to get a public key? Digital Certificates Guarantees authentication and integrity But how does one verify this signature Need another Public Key PKI: Public Key Infrastructure

© Ravi Sandhu 5 World-Leading Research with Real-World Impact! The Web Today X Q A R ST CEGIKMO abcdefghijklmnop Multi-rooted Certificate Hierarchy Root certificates are weakly protected in today’s browsers

© Ravi Sandhu 6 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Eliminates man-in-the-middle in the network. Remains vulnerable to man-in-the- browser and man-in-the-PC Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key

© Ravi Sandhu 7 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root User ID, Password ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root Client’s Private Key Public Key

© Ravi Sandhu 8 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key Store and use in well protected server hardware security module (HSM) Store as password protected and use in insecure PC Store and use in smartcard Store and use in Trusted Platform Module (TPM)

 One authenticator for each client  Protected by one or more additional factors  Usable by every RP who trusts the client’s root  Built-in out-of-the box Single Sign-On (SSO)  Massive expense by US DoD on Common Access Card © Ravi Sandhu 9 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards)

© Ravi Sandhu 10 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos also TGS Client c {T c,tgs, K c,tgs } K c 1 2 Symmetric Key Technology Client password -> client symmetric key Kc Stored client symmetric key Kc

© Ravi Sandhu 11 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Symmetric Key Technology TGS ClientServer {T c,s, K c,s } K c,tgs T c,tgs, A c,tgs, s T c,s, A c,s

© Ravi Sandhu 12 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos Realm 1 Kerberos Realm 2 shared symmetric key public-private keys clientserver

 Successful in Enterprise SSO  Scales to 10’s or 100’s of thousands of users  Microsoft Active Directory login is based on Kerberos  Inter-realm rarely deployed © Ravi Sandhu 13 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward)

© Ravi Sandhu 14 World-Leading Research with Real-World Impact! Microsoft SSO (1990’s) Failed

© Ravi Sandhu 15 World-Leading Research with Real-World Impact! Microsoft Infocard Identity Ecosystem (2000’s) Failed

© Ravi Sandhu 16 World-Leading Research with Real-World Impact! Liberty Alliance (2000’s) Failed

© Ravi Sandhu 17 World-Leading Research with Real-World Impact! OpenID (2000’s) Failing

© Ravi Sandhu 18 World-Leading Research with Real-World Impact! NSTIC (2010’s)