Re-using existing PKIs for online Identity Management

Martijn OostdijkNovay22/10/09 | Session ID: 305

Classification: Intermediate

2

Agenda

Electronic Passports

A short introduction to Identity 2.0

Using the ePassport PKI for online IdM

Conclusions

How to apply what you learn here?

• I will demonstrate how third parties (you?) can piggyback “traditional” PKI infrastructure to facilitate your organization’s IdM

• You are invited to come and discuss pros and cons of the combination of PKI and user-centric IdM

• You will understand the risks involved and benefits of this combination, and be able to judge whether it is cost-effective for your organization

Educate + Learn = Apply

An Introduction to Identity 2.0

Web / Identity 2.0 means…

“Everybody knows you’re not a dog.”

An attempt to define “Identity”

• Identity is what you and others claim about you

• In real life, whether you trust a claim– Depends on context,

– Depends on “authorities” or “Identity Providers”

• parents, school, government– Depends on “Identity Providers by proxy”

• signed note, diploma, passport, driver’s license

• On the Internet there is little context

• Identity Providers needed for trust

Identity Management

Client(C)

Relying Party(RP)

Identity Provider(IdP)

Would like to use service

Facilitates this process by- checking credentials of C- controlled release of attributes about C

8

Online or offline IdP?

Online IdP

• Redirect RP to IdP

• Drawback: single point of failure

• Drawback: infrastructure cost

• Drawback: privacy?

Offline IdP

• IdP signed an identifier for client to present to RP

• No single point of failure

• Drawback: revocation

• No need to trust IdP w.r.t. privacy

• Drawback: can we trust user / user’s PC to store identifier?

What is Identity 2.0?

• Identity 2.0 is User-centric Identity

• The user is in control over what information is shared with RP

• Two standards are popular:– OpenID

– Information Card

• Hot or hype? (Like everything 2.0?)

• We’ll focus on Information Card here

Laws of Identity 2.0

By Kim Cameron of Microsoft1. User control

2. Minimal disclosure, constrained purpose

3. Justifiable parties

4. Directed identity

5. Pluralism of operators and technologies

6. Human integration

7. Consistent experience across contexts

Explained for dummies:

• People using computers should be in control of giving out information about

themselves, just as they are in the physical world.

• The minimum information needed for the purpose at hand should be

released, and only to those who need it. Details should be retained no longer

than necesary.

• It should NOT be possible to automatically link up everything we do in all

aspects of how we use the Internet. A single identifier that stitches

everything up would have many unintended consequences.

• We need choice in terms of who provides our identity information in different

contexts.

• The system must be built so we can understand how it works, make rational

decisions and protect ourselves.

• Devices through which we employ identity should offer people the same

kinds of identity controls - just as car makers offer similar controls so we can

all drive safely.

Information Card

• Open standard (sort of)

• Self-signed cards: Attributes kept at client

• Managed cards: Attributes kept at IdP

• Windows CardSpace is Microsoft’s implementation

• To prevent phishing: GUI dialog leaves context of OS

Electronic Passports

ePassport

• Issued by government, standardized by ICAO

• Contains chip with– Information about card holder

– Mechanism to verify integrity of that information

– Mechanism to verify authenticity of chip

– Mechanism to communicate confidentially

• Tested and found “secure” up to EAL4+

• Intended for verification by border official’s equipment

• (Not intended for online verification)

ePassport

Chip

Logo

MRZ

Antenna

Logical Data Structure

hashes DGs + signature issuing stateSOd

public key for Active AuthenticationDG15

[some people with really long names][DG11]

photo faceDG2

name, etc, a.o. date of birth and BSNDG1

index of DGs presentCOM

16

ePassport security mechanisms

CONTROLS:

• Basic Access Control

• Passive Authentication

• Active Authentication

• Extended Access Control

• Biometry

THREATS:

• Skimming & tracking (privacy)

• Eavesdropping (privacy)

• Altering (authenticity, integrity)

• Cloning (authenticity)

• Disclosure of biometrics (confidentiality)

• Look-a-like fraud

ePassports form a worldwide PKI!

• Passive authentication means:– Data groups signed by “document signer”

– Document signer’s certificate signed by “country signer”

• Country signer’s certificate is given to other countries so that they can verify integrity and authenticity– Sometimes on government’s web site

– In that case, third parties can read content after performing BAC

• Can ePassports be used in Identity 2.0 scheme such as Information Card?

Using the ePassport PKI for online IdM

ePassport + CardSpace

User

Card Space

Hosted at IDP

Run at clientNFC Device(hardware)

Security Token

Service

SOCKET

CLIENT

RELYING PARTY

IDENTITY PROVIDER

Web Server

Information Card protocol

1. Access2. Policy

3. Filter cards

4. Select card

5. Request token

6. Give token

7. Give token

5/6. BAC + AA + DG1 + DG15 + SOd

IdP Client

RP

User

Result

• An online IdP can verify a user’s ePassport remotely– If the ePassport supports Active Authentication,

– and Basic Access Control (and BAC keys known to the IdP),

– and the country signing certificate is known to the IdP

• If data is protected by EAC– ePassport issuing countries can limit access to selected IdPs

• The IdP can translate attributes– To protect privacy

– E.g. date-of-birth becomes “currently over 18 years of age”

– User still in control of what gets sent to RP

Conclusions

Conclusions

• Trend: Identity 2.0 (user-centric)

• Trend: governments rolling out massive worldwide PKI

• Such a PKI is very 1.0, but can be used in an Identity 2.0 scheme– Although role of IdP is somewhat different:

• A trusted online IdP is good for privacy– IdP translates “raw” attributes (such as date-of-birth) to more

privacy friendly attributes (such as “currently over 18 years of age”)

– Combining offline and online identity management offers some flexibility in terms of privacy protection

Questions?