Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar” to go through the animation steps; wait until an animation finishes before pressing the “space bar” again. If you missed an animation step, simply press the “left-arrow” key to rewind the animation Version 1.0 April 23, 2007

Copyright © 2007 Credentica Inc. All Rights Reserved. Contents Introduction Part I – Leading Industry SolutionsPart I – Leading Industry Solutions Federated identity management (SSO) Windows CardSpace (data sharing) Part II – Credentica’s TechnologyPart II – Credentica’s Technology Overview of ID Tokens Secure SSO Data sharing across unlinked accounts

Copyright © 2007 Credentica Inc. All Rights Reserved. Introduction Goals of government online Improve access to government services Reduce costs and improve productivity Improve participation in democratic process Current priorities Single sign-on (SSO) to services Data sharing across governmental departments Critical security and privacy requirements Avoid unwanted tracing and linking powers Prevent denial-of-service attacks Prevent impersonation attacks Prevent user fraud

Copyright © 2007 Credentica Inc. All Rights Reserved. Part I Leading Industry Solutions

Copyright © 2007 Credentica Inc. All Rights Reserved. Each service knows the user under a local identifier that may be different from the user’s identity at the authority With identity federation, services do not authenticate users themselves but delegate this step to a trusted authority that has already established authenticated relations with these users Service A Accounts Service B Accounts Service C Accounts Authority Accounts Federated identity management (SSO) Alice I’m Alice Who is this? Who are you? It’s Welcome Who is this? It’s Alice It’s Welcome The user enjoys a single sign-on experience when visiting other services from the same federation in the same browsing session

Copyright © 2007 Credentica Inc. All Rights Reserved. Authority Accounts Service C Accounts Service B Accounts Service A Accounts Federated identity management (SSO) Alice Impersonator Who is this? I don’t know Who is this? It’s Welcome In the context of government online, federated identity management has several shortcomings. Firstly, the government would have the capability to electronically link and trace all user actions in real time Secondly, the authority can deny targeted citizens access to services by providing incorrect authentication assertions It’s Alice Thirdly, the government would have the capability to impersonate targeted users The user enjoys a single sign-on experience when visiting other services from the same federation in the same browsing session Welcome Alice

Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice Are you over 18? I’m Alice. Please assert that I’m over 18 Welcome Who is this? It’s Alice Over 18 Windows CardSpace enables users to directly transfer claims from identity providers to relying parties. Identity providers authenticate users before issuing claims about them The shortcomings of Windows CardSpace in the context of Government Online are almost identical to those of federated identity In collusion with relying parties it is trivial to trace all presented claims to their issuance (either by comparing issuing and presentation times or by linking the provider’s signatures on the claims)

Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice John Are you over 18? I need to assert that I’m over 18 I’m John. Please assert that I’m over 18 Over 18 Welcome Fraudulent users can transfer (copies of) claims about themselves to other parties In collusion with relying parties it is trivial to trace all presented claims to their issuance (either by comparing issuing and presentation times or by linking the provider’s signatures on the claims) It’s Alice No I’m not…

Copyright © 2007 Credentica Inc. All Rights Reserved. Part II Credentica’s Technology

Copyright © 2007 Credentica Inc. All Rights Reserved. An ID Token is a cryptographically protected container of identity- related assertions that is issued to a user. An ID Token can contain any kind of attribute information that is bound to a key pair Attribute information contained in one or more ID Tokens can be selectively disclosed in response to unanticipated requests from verifiers Issuers can cryptographically bind ID Tokens to trusted modules (such as smart cards or Trusted Computing chips) that can enforce third-party security policies throughout the entire life cycle of the ID Tokens. A single low-cost device can protect arbitrarily many ID Tokens Overview of ID Tokens Alice IssuerVerifier ? ID Tokens cannot be forged or modified, cannot be stolen through eavesdropping or phishing, and cannot be replayed by legitimate verifiers In contrast to conventional technologies, the use of an ID Token does not leak any information that others could exploit to link or trace user activities The user presents the ID Token to a verifier, either in the same session (in case of a transient ID Token) or later (in case of a long-lived ID Token stored by the user) Consult the U-Prove SDK white paper companion presentation to learn more about ID Tokenscompanion presentation

Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Authority Token Service Service A Accounts Token IDService Service A Name: Alice Smith DOB: 1973/08/24 Name: Alice Smith DOB: 1973/08/24 AliceS Service A Token IDService a9e28b3c74 9b87f3c4dd2(unlinked) f88e37ba221(unlinked) Service A Secure SSO Service C Accounts Service B Accounts In an enrollment phase, Alice’s computer obtains a batch of long-lived ID Tokens from a trusted authority When Alice subsequently accesses and authenticates to a government service for the first time, her computer transmits a fresh ID Token to the service. Alice’s computer uses a different ID Token with each government service, and maintains a mapping of all of her ID Tokens to their corresponding services The service associates the ID Token it receives from Alice with its account information on her In subsequent visits to a government service, Alice’s computer authenticates using the ID Token that the service has associated with her account Legacy authentication data +

Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Authority Token Service Service A Accounts Service B Accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service B Address: 1010 Sherbrooke Postal code: H3A 2R7 Service B Secure SSO Name: Alice Smith DOB: 1973/08/24 AliceS Token IDService a9e28b3c74Service A 9b87f3c4dd2Service B f88e37ba221Service C As a result, the authority and the services do not gain any correlation powers, neither through data flow analysis nor through timing analysis In subsequent visits to a government service, Alice’s computer authenticates using the ID Token that the service has associated with her account

Copyright © 2007 Credentica Inc. All Rights Reserved. Service C You need to be over 18 to access this service Service C Welcome Service C Accounts Authority Token Service Service A Accounts Hereto they package data they hold about Alice into ID Tokens that they provide to Alice, protecting them against any unauthorized manipulations Alice Name: Alice Smith DOB: 1973/08/24 AliceS Service B Accounts Service C Data sharing across unlinked accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service A Over 18 Government services can securely share data on Alice, without needing to know her under a common identifier

Copyright © 2007 Credentica Inc. All Rights Reserved. Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Name: Alice Smith DOB: 1973/08/24 AliceS To prevent timing correlations, Alice can obtain long-lived copies of her account data whenever she visits the services Alice Service C Accounts Authority Token Service Service B Accounts Service A Accounts Service B Address Postal code Service A Name DOB Data sharing across unlinked accounts Hereto they package data they hold about Alice into ID Tokens that they provide to Alice, protecting them against any unauthorized manipulations

Copyright © 2007 Credentica Inc. All Rights Reserved. Name: Alice Smith DOB: 1973/08/24 AliceS Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service B Accounts Authority Token Service When Alice subsequently accesses a service that requires some information about her, she selectively discloses only the minimal assertion information needed from her long-lived copies Alice Service C Accounts Service A Accounts Service C Welcome Service C You must be over 18 and from Quebec to access this service. Service A Name DOB Service B Address Postal code Service A Name DOB 18+ Service B Address Postal code proof Service C Service C Data sharing across unlinked accounts To prevent timing correlations, Alice can obtain long-lived copies of her account data whenever she visits the services

Copyright © 2007 Credentica Inc. All Rights Reserved. Credentica