Federated Identity A

spotlessstareSecurity

Nov 29, 2013 (3 years and 8 months ago)

84 views

Identity

presented by

Patrick Burke and Christian Loza

Introduction


The
Internet

has changed the way we do
business forever.


In the
cyberspace
, our
Identity

has changed
too, and a
Digital Identity

has emerged.


Identity

can be defined as a set of
characteristics that uniquely identifies us (or a
digital entity)
[1]
.


Introduction


CONCEPTS


Identity
: Set of characteristics that identifies a
given entity.


Identification
: Recognizing someone as a
specific individual.


Authentication
: Process to make sure the
Identification is valid.


Authorization
: Set of resources given to a
certain entity, based on the identity.


Introduction


In the physical world,
users can be identified
by physical
characteristics, such
as hair color, height,
skin color, etc.


In the Internet, users
are identified by set’s
of information, such as
SSN, Name, Credit
Card number,
Address, Phone
number, etc.

Introduction


Most of the services has gone to the Internet


Electronic Commerce


Electronic Government


Electronic Learning


Electronic Marketing


Electronic Publishing

Introduction


To interact in the Internet with this service
providers, the people use their
Digital Identity
.

Introduction


One of the drawbacks from human centric
electronic interactions is the
fuziness

of the
image of the other partner over the network

?

Introduction


Ensuring security and privacy in a distributed
communication system as the Internet is
crucial.


Crimes related to Identity theft have become a
major treat to the growth of the commerce over
the Internet.

Introduction


Identity
-
related misuse and concerns
[2]


Identity theft: Someone wrongfully obtains and
uses other person’s personal data in some way
that involves fraud or deception
[3]
.


Malicious change of Information: Someone
changes wrongfully personal information of
somebody else or to himself to do harm or self
benefit.


Secondary use: Somebody impersonates
someone else for personal benefit.


And the list keeps growing


Federated Identity

Some facts


Below are some institutions and people
believed to be victim’s of Identity theft.


Bill Gates


CIA, NASA, Justice Department


Wells Fargo


Bank of America


Ebay


UNT?

Problem Definition


The Identity has bring more complexity to the
business model


Any person may be using now multiple
identities to access multiple services providers
on the Internet


Multiples identities mean also redundant costs
and increasing problems

Problem Definition


One of the technologies that has emerged to
solve the increasing complexity of Identity
management across multiple organization is
the
Federated Identity

Problem Definition


Federated Identity is a digital credential
analogous to a country passport
[4]


Trust negotiation model: Is the gradual
interchange of credentials between two entities,
with the goal to establish Trust, and finally
exchanging resources


Our task

is to review proposals of designs of
an efficient scheme of such Federation
interchange

Problem Definition


Different sets of information from the Identity
may be needed by different organizations

Federated Identity

A

Name

Address

Phone Number

PO Box

SSN

B

Name

Address

Phone Number

PO Box

SSN

Credit Card

Billing Address

C

Name

Address

Phone Number

PO Box

SSN

Credit Card

Passport
Number

A

Name

Address

Phone Number

PO Box

SSN

B

Credit Card

Billing Address

C

Passport
Number

Federated Identity

Credentials negotiation


Disclosure policies


Credentials combinations are required for
disclosure of sensitive information


Negotiation between User and Service
Providers, and among Service Providers.


Federated Identity

Scalability


KEY CONCEPTS for Scalability of Federated
Identity


Has to work with Browser as the client side
software


Centralized Approach


Identity or Capability
-
based credentials


Federated Identity

Scalability

Federated Identity

Privilege management


Both, Federated Identity and Privilege
Management are cornerstones of a
Management Framework


A mechanism for Federated Identity and
Privilege Management should satisfy at least
eight requirements:

Federated Identity

Requirements

1.
SSO Single sign on


Persistency of user identity across the
enterprise domains, and allows user to transfer
their authorizations across multiple points of
policy enforcement

2.
Effective access control


The access control should be fine grained to
dynamically evolve enterprise resources.


Federated Identity

Requirements

3.
Decentralized model


The system should not rely on a centralized
access point, instead, should be distributed

4.
Authentication for estrangers


In the new distributed Internet environment,
there is no more the concept of advanced
knowledge of identities or capabilities.




Federated Identity

Requirements

5.
Trust, Anatomy and Privacy


Privacy protection is becoming an increasing
concern, both from social and legal perspective.
Is a compromise, since avoiding name
-
binding,
complicates trust establishment.

6.
Standardized Approach


The solution should has the capability to be
integrated with other systems, using existing
accepted standards.

Federated Identity

Requirements

7.
Browser Based


Nobody wants to install client side applications

8.
Technologies issues


Cookies and JavaScript are been used.
Nevertheless, they have been proved to be a
security problem, even though, they are better
than the other options

Federated Identity

Ideal Scheme

1. Request page

2. Auto redirect

3. Redirect

4. Request credentials

5. Login

6. Redirect w/tickets in header

7. Request page

w/credentials

8. Set ticket

Federated Identity

Examples


MSN Passport


Developed by Microsoft


Kerberos


Developed by MIT


X.509


Network Working Group


Certificate Management Protocol


RBAC


Research Proposal


Federated Identity

MSN Passport

1. Request page

2. Auto redirect

3. Redirect

4. Request credentials

5. Login & passport

6. Redirect w/tokens in header

7. Request page

w/credentials

8. Set cookie

Federated Identity

MSN Passport


Centralized Model


Credentials and no Tickets


Used to authenticate users of Hotmail and
MSN Messenger. Other users include Zurich,
GMAC


The biggest Federated Identity system is
Passport, from Microsoft

Federated Identity

MSN Passport


Process 3.5 billion authentications each month


Uses XML as the core


Uses SSL


The Passport requires triple DES keys with
each organization.


The keys must be generated securely, and
given to the merchants out of band.


Some keys were broken because the poor
randomness of the keys generated

Federated Identity

MSN Passport
-

Problems


Centralized point of attack, against the
distributed nature of Internet. Vulnerable to
DoS attacks


Due to the cookies architecture, a Service can
impersonate MSN Passport and delete all the
cookies in the clients (used to DoS attacks).


JavaScript and cookies technologies have
been proved to be insecure technologies.

Federated Identity

MSN Passport
-

Problems


Bugs have a great Impact


MSN found problems many times, bringing down
all services depending on Passport


One example was a failure on the Password
resetting mechanism

Federated Identity

Kerberos

1. Request page

2. Auto redirect

3. Redirect

4. Request credentials

5. Login

6. Redirect w/tokens in header

7. Request page

w/credentials

8. Set ticket

Symmetric

Federated Identity

Kerberos


Developed by MIT’s project Athena


Allow mutual authentication and secure
communications over the network


Uses symmetric key encryption, and
authentication credentials


Authentication credentials are based on
identity, and are suited for access control lists.
Main problem for Identity Management are
centralization, and name biding.

Federated Identity

Kerberos
-

Problems


Kerberos is Identity Based, which gives
problems for scalability. Key concept: avoid
name
-
binding


Suitable for access roles. Nevertheless,
symmetric keys are not suited for Federations
and Distributed Identity Management

Federated Identity

X.509

1. Request page

2. Auto redirect

3. Redirect

4. Request credentials

5. Login

6. Redirect w/tokens in header

7. Request page

w/access privileges

8. Set privileges

3. Redirect

Asymmetric

Federated Identity

X.509


X.509 is a Certificate Scheme for
Authentication


Based on Public Key Infrastructure (PKI)


The Access Control Credential is called
Attribute Certificate


Asymmetric authentication


Integrated approach of Authentication and
Authorization


Federated Identity

X.509 Problems


Integrated approach of Authentication and
Authorization, which is, not good in all contexts.


This is because not all the system
-
specific
capabilities may be know in advance.


Access control credentials is not sufficient to
meet effective Access Control requirements.
Key concept: Not Scalable

Identity

Role
-
Based Access Control (RBAC)


Current Enterprise solutions employ a
combination of physical security, passwords,
and Role
-
based Access Control to ensure the
identity of a user


Physical security and passwords protect the
system from intrusion.


Role
-
based Access Control limits access to
documents and data based on a “need to
know” basis

Identity

Role
-
Based Access Control (RBAC)


Access rules are established with sets of
access pairs which associate users and their
corresponding permissions:


(user, permissions)



While RBAC is supported by many specific
application packages (Oracle and Sybase, for
example), the method will be described with a
brief look at XML

Federated Identity

XML Public Protocols


SAML (Security Assertion Markup Protocol)


XML based


Avoid limitations of cookies


SSO Interoperability: Different implementations
can be compatible


Web Services: Suited to work on browser
environments


Federations: Can simplify Federation usability


Federated Identity

XML
-
Based Doc Security


X
-
Sec [5] is one notional XML
-
Based control
system with the following component:


Credential
-
types (ct)


defined user type
definitions


Example: manager, customer, carrier


(
n
ct
,
P
ct
) where
n

is the name of the credential and
P

is the set of property specifications for the ct.

XML credential
-
type and corresponding graph representation [5]

XML
-
Based Doc Security


X
-
Sec Components (cont)


Credential


an instantiation of a credential
-
type


Specifies the set of properties values characterizing a
given subject against the credential
-
type itself


Physical credentials are certified by the credential
issuer

XML credential and corresponding graph representation [5]

XML
-
Based Doc Security


X
-
Sec Components (cont)


Security Policy Base Template


Specifies
credential
-
based security policies based on
enterprise protection requirements


Documents to which the policy applies


Portions of documents within target documents


Access Modes


Propagation mode for the policy

XML
-
Based Doc Security


X
-
Sec Components (cont)


Security Policy Base Instantiation


Example (below)


Secretaries in sales can access and modify all
purchase order documents


UPS employees can access information about the
customer, carrier, and order id.

XML
-
Based Doc Security

Assessment

PRO:


Highly available in commercial
products


Easy to set up


Training is readily available


Highly effective in a CLOSED and
TRUSTED environment


CON:


Often difficult to REMOVE users


Impractical in an open user
environment


Not a long
-
term Internet
solution


Passwords can be stolen,
resulting in unauthorized access


Periodic password changes
make remembering
passwords difficult


Left to their own devices,
people tend to choose
passwords that are easy to
guess


Biometrics


DEFINITION


Any and all of a variety of identification techniques which
are based on some physical, or behavioral
characteristics of the individual contrasted with the larger
population. Unique digital identifiers are created from the
measurement of this characteristic.


Physiological Biometrics


Fingerprints, hand and/or finger geometry, eye (retina or iris),
face, and wrist (vein)


Behavioral Biometrics


Voice, signature, typing behavior, and pointing

Biometrics

OVERVIEW


User digital template is created during an
“enrollment period” and stored in a database


On attempted verification, the relevant template
is extracted, compared with the data input


ATM card is still required to point at the correct
digital template


Verification is based on statistical techniques of
comparison between the two


Biometrics

Some devices to use Biometrics


Benchmarks


The eight points can be used to measure if an
Identity Management Protocol is suited for
scalability and Federated use.


Browser features can be used as a metric: Use
of cookies, use of JavaScript, use of XML


Biometrics

Benchmarks

BENCHMARKS for Biometrics


Template size


Speed of enrollment


False Accept Rate


False Reject Rate

Biometrics

Benchmarks

PRO


When it works, it works best


Generally acceptable in
controlled group settings

ASSESSMENT

CON


Bad user perceptions


May be misused


May harm eyes


Input quality degrades with
age


Unacceptable False Reject
Rates


17%
-

facial


10%
-

finger swipe


Conclusions


Identity is a key issue on Next Generation
Internet


Any new or already proposed scheme for
Identity Management should address the eight
points exposed at least


All the Identity Management should work with a
Browser in the client side

Conclusions (cont)


Identity Management paradigms that ensure
“you are you,” as opposed to “you are who you
say you are” are absolutely critical to the future
of e
-
commerce and electronic information
sharing


Federal Identity can only be successful if the
services are decentralized


Not an easy task


Conclusions (cont)


Access control systems will continue to provide
enterprise solutions for controlled areas for the
foreseeable future


Biometrics appears to be the only real solution
on the horizon, but it is not yet reliable enough
for use in the general world population.


Sources


Images and icons from
http://www.kde
-
look.org


Icons from CISCO SYSTEMS
http://www.cisco.com/warp/public/503/2.html#pkt


Photo on slide 7, from Wikipedia,
http://en.wikipedia.org/wiki/Kevin_mitnik







References

1.
Toby Baier, Christian Zirpins, Winfried Lamersdorf, “Digital Identity: How
to be someone on the Net”

2.
Peter G. Neumann, “Identity
-
Related misuse”, Communications of the
ACM.

3.
US Department of Justice (USDOJ). (2000, June). “Identity theft and
fraud”. Retrieved July 1, 2004, from the World Wide Web:
http://www.usdoj.gov/criminal/fraud/idtheft.html

4.
E. Bertino, A.Bhargav
-
Spantzel, A.C.Squicciarini, “Digital Identity
Management and Trust Negotiation”, CERIAS, Purdue University,
University of Milan, Milan, Italy



References

5.
E. Bertino, S. Castano, E. Ferrari. “On Specifying Security Policies for
Web Documents with an XML
-
based Language, SACMAT’01, May 3
-
4,
2001, Chantilly, Virginia

6.
L. Coventry, A. DeAngeli, G. Johnson. “Usability and Biometric
Verification at the ATM Interface”. CHI 2003, April 5
-
10, 2003, Fort
Lauderdale, FL.