Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved.
Contents 1.Identity and access management 2.Centralized I&AM 3.Federated I&AM 4.User-centric I&AM 5.Building in privacy
Copyright © 2007 Credentica Inc. All Rights Reserved. Part I: Identity & Access Management
Copyright © 2007 Credentica Inc. All Rights Reserved. Identity & access management (I&AM) What is identity & access management Who is a user (identity) What can a user do (roles, claims, assertions, credentials) Management of the life-cycle of identity information (expiration, revocation) Goals of I&AM Improve access to online services (usability) Reduce costs and improve productivity Connect more and more systems Actors User (a.k.a. subject) Identity provider (a.k.a. issuer, authority) Service provider (a.k.a. relying party, verifier)
Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: single sign-on (SSO) User authenticates once to access various independent services in one session Alice Service A Accounts Service C Accounts Authority Accounts Service B Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: data-sharing Different independent services can exchange data about a user Alice Authority Accounts Service A Accounts Service C Accounts Service B Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved. Security & privacy requirements Avoid unwanted tracing and linking powers (user profiling) By the central party, the services, or both! (collusion) Prevent denial-of-service attacks Avoid bottlenecks, one server down system down Prevent impersonation attacks (identity theft) By virus, hacker, insider (admin), another user Prevent user fraud Credential transfer (lending, pooling), discarding
Copyright © 2007 Credentica Inc. All Rights Reserved. Laws of identity (Cameron & Cavoukian) 1.User Control and Consent 2.Minimal Disclosure 3.Justifiable Parties 4.Directed Identity 5.Pluralism of Operators & Technologies 6.Human Integration 7.Consistent Experience across Contexts See Similar to the Fair Information Principles
Copyright © 2007 Credentica Inc. All Rights Reserved. Part II: Centralized I&AM
Copyright © 2007 Credentica Inc. All Rights Reserved. What is centralized I&AM Identity and authorization data is stored and managed by a central authority Services query the central authority to make access decisions or learn attributes Pros: Simple to deploy and administer in a closed environment Cons: Security and privacy problems in a cross-domain, multi-jurisdiction setting Good for enterprise I&AM (for internal employees) or in a single domain (e.g. bank with its customers)
Copyright © 2007 Credentica Inc. All Rights Reserved. Enterprise I&AM I&AM in an enterprise to manage the identity of its employees One server (directory) holds the identity data E.g.: LDAP, Kerberos, many many more What happens when the enterprise’s boundaries get fuzzy? External employees Partners Contractors
Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: Microsoft Passport Authentication and data held by Microsoft’s server Good for Microsoft’s services (e.g. Hotmail) but not for 3 rd parties (e.g. eBay) Alice Passport Accounts Service B Service A
Copyright © 2007 Credentica Inc. All Rights Reserved. Part III: Federated I&AM
Copyright © 2007 Credentica Inc. All Rights Reserved. What is federated I&AM Virtual unification of identity systems Central authority facilitates (in the federation) authentication and access to the services data exchanges between the services Many standards: SAML, Liberty Alliance, WS-Federation, Shibboleth Liberty Alliance: consortium of organizations that develops interoperable I&AM specifications (many use cases) Pros Bridge between the identity silos Simplicity for services Cons Central authority sees a lot of information One secret lost identity theft across federation
Copyright © 2007 Credentica Inc. All Rights Reserved. Service A Accounts Service B Accounts Service C Accounts Authority Accounts Federated identity management (SSO) Alice I’m Alice Who is this? Who are you? It’s Welcome Who is this? It’s Alice It’s Welcome
Copyright © 2007 Credentica Inc. All Rights Reserved. Authority Accounts Service C Accounts Service B Accounts Service A Accounts Federated identity management (SSO) Alice Impersonator Who is this? I don’t know Who is this? It’s Welcome It’s Alice Welcome Alice
Copyright © 2007 Credentica Inc. All Rights Reserved. Internet Citizen SCNet Department Public web server PID/MBUN table SC protected contents Secure Channel epass storage Gateway Session management Log in / registration MBUN Use-case: Secure Channel
Copyright © 2007 Credentica Inc. All Rights Reserved. Citizen User ID: Password: Department Secure Channel MBUN Department chrisp ******** MBUN Secure Channel SSO
Copyright © 2007 Credentica Inc. All Rights Reserved. Citizen Secure Channel Department User ID: Password: cpaquin ******** MBUN Secure Channel SSO
Copyright © 2007 Credentica Inc. All Rights Reserved. Part IV: User-Centric I&AM
Copyright © 2007 Credentica Inc. All Rights Reserved. What is user-centric I&AM Recent umbrella term for many identity systems/technologies, aiming to respect the laws of identity build on open standards to create an identity meta-system User is in control of the identity data flow Either initiates or participates in data exchanges Alice Service B Service A Identity Provider Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved. Windows CardSpace Microsoft’s system released with Vista Built on top of the identity meta-system Identity “claims” packaged as identity cards (InfoCards) managed by the user Managed card: issued by a trusted party Self-issued card: created by the user, to replace username/password and form fillers Actual data is stored at identity providers (claim tokens are retrieved as needed)
Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice Are you over 18? I’m Alice. Please assert that I’m over 18 Welcome Who is this? It’s Alice Over 18
Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice John Are you over 18? I need to assert that I’m over 18 I’m John. Please assert that I’m over 18 Over 18 Welcome It’s Alice No I’m not…
Copyright © 2007 Credentica Inc. All Rights Reserved. OpenID An open, decentralized, free framework for user-centric digital identity For authentication Everyone has an identifier (e.g. URL) You prove ownership of the URL To login: User types her identifier Service redirects the user to the OpenID provider OpenID provider authenticates the User Pros: Simple, free, open Step up from username/password Cons Low security: trivial phishing identity theft across all services Community works on new version to address security vulnerabilities
Copyright © 2007 Credentica Inc. All Rights Reserved. OpenID protocol 1.User is presented with OpenID login form by the Consumer 2.User responds with the URL that represents their OpenID 3.Consumer canonicalizes the OpenID URL and uses the canonical version to request (GET) a document from the Identity Server. 4.Identity Server returns the HTML document named by the OpenID URL 5.Consumer inspects the HTML document header for tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request 6.The OpenID Server returns a login screen. 7.User sends (POST) a login ID and password to OpenID Server. 8.OpenID Server returns a trust form asking the User if they want to trust Consumer (identified by URL) with their Identity 9.User POSTs response to OpenID Server. 10.User is redirected to either the success URL or the failure URL returned in (5) depending on the User response 11.Consumer returns appropriate page to User depending on the action encoded in the URL in (10)
Copyright © 2007 Credentica Inc. All Rights Reserved. Part V: Building in Privacy
Copyright © 2007 Credentica Inc. All Rights Reserved. Classic technologies drawbacks Usernames/passwords Low-security Vulnerable to phishing Don’t support data sharing Kerberos Traceable and linkable (by issuer’s signature) Requires online access to the authority Don’t support cross-domain data sharing X.509 certificates Traceable and linkable (by issuer’s signature) Only supports data sharing of anticipated claims Revocation check may involve real-time connection to issuer
Copyright © 2007 Credentica Inc. All Rights Reserved. Privacy-enhancing technologies (PET) Set of modern cryptographic techniques that enhance/preserve/protect the level of privacy of users when interacting with service and identity providers Encompass many technologies: encryption (confidentiality), policy (P3P), anonymous access (onion routing, e.g. Tor) Of interests, “data PET”, to prove who you are in a specific context and what are your credentials, while meeting the laws of identity: 1. User Control and Consent 2. Minimal Disclosure 3. Justifiable Parties 4. Directed Identity
Copyright © 2007 Credentica Inc. All Rights Reserved. PET features Alice IssuerVerifier ?
Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Issuer Token Service Service A Accounts Token IDService Service A Name: Alice Smith DOB: 1973/08/24 Name: Alice Smith DOB: 1973/08/24 AliceS Service A Token IDService a9e28b3c74 9b87f3c4dd2(unlinked) f88e37ba221(unlinked) Service A SSO revisited Service C Accounts Service B Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service A Accounts Service B Accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service B Address: 1010 Sherbrooke Postal code: H3A 2R7 Service B SSO revisited Name: Alice Smith DOB: 1973/08/24 AliceS Token IDService a9e28b3c74Service A 9b87f3c4dd2Service B f88e37ba221Service C
Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Name: Alice Smith DOB: 1973/08/24 AliceS Service A Accounts Service B Accounts Service C You need to be over 18 to access this service Service C Welcome Service C Data sharing revisited Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service A Over 18
Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service B Accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Name: Alice Smith DOB: 1973/08/24 AliceS Service A Accounts Service B Address Postal code Service A Name DOB Data sharing revisited
Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service B Accounts Service A Accounts Service C Welcome Service C You must be over 18 and from Quebec to access this service. Service A Name DOB Service B Address Postal code Service A Name DOB 18+ Service B Address Postal code proof Service C Service C Data sharing revisited Name: Alice Smith DOB: 1973/08/24 AliceS Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith