34
Access Management in Critical Information Infrastructures May 15, 2003 Presented to: 15th annual Canadian Information Technology Security Symposium May 12 - 15, 2003 Ottawa Congress Dr. Stefan Brands [email protected] m

Access Management in Critical Information Infrastructures

  • Upload
    jaser

  • View
    38

  • Download
    1

Embed Size (px)

DESCRIPTION

May 15, 2003. Access Management in Critical Information Infrastructures. Dr. Stefan Brands [email protected]. 15th annual Canadian Information Technology Security Symposium May 12 - 15, 2003 Ottawa Congress Centre. Presented to:. Critical Information Infrastructures. - PowerPoint PPT Presentation

Citation preview

Page 1: Access Management in Critical Information Infrastructures

Access Management in Critical Information Infrastructures

May 15, 2003

Presented to:

15th annual Canadian Information Technology Security Symposium

May 12 - 15, 2003Ottawa Congress Centre

Dr. Stefan [email protected]

Page 2: Access Management in Critical Information Infrastructures

2

Critical Information Infrastructures

“Information-centric infrastructures essential to the defense and economic prosperity of a society, and to the well-being of its people”

Strong reliance on effective management and sharing of sensitive information

Examples: – Telecommunications– The supply of utilities– Banking and finance networks– Public transportation– National defense– Health care

Page 3: Access Management in Critical Information Infrastructures

3

Information management trends

Information recorded & managed in electronic form Increasing data volume & sensitivity Increasing numbers of trust domains desiring ability

to interact (open systems) Data sharing over open networks Physical trust domains are disappearing Proliferation in number and type of access devices:

– Personal Computers– Personal Digital Assistants– Mobile phones– …

Page 4: Access Management in Critical Information Infrastructures

4

Benefits of electronic records

Efficient data sharing across corporate boundaries Reusability of recorded information Reduce errors Enhance productivity (notably of administrators) Location-”independence” of records:

– In central database– Distributed across databases (possibly “federated”)– User-controlled record– User-held record (smartcard, PDA, PC, …)

Open up new opportunities

Page 5: Access Management in Critical Information Infrastructures

5

Security issues

Data must be made selectively accessible Must be able to base authorization decisions on

access requestor rather than (only) on data itself No longer adequate: Vulnerability assessment

products and services, fire-walls, anti-virus software & hardware, intrusion detection applications

Authorization is next major security requirement Can grant authorization on the basis of: identity,

assumed role, privileges, entitlements, personal characteristics, profile data, qualifications, group membership, other credentials, payment, …

Page 6: Access Management in Critical Information Infrastructures

6

Security of electronic records

Complexity of “ownership” when data sharing is goal:– Many may be authorized to read, add or update information– Many may need to rely on data in same record

Access provider perspective:– OK: others can view data (to be informed & check for errors)– Not OK: others can add, delete, modify, or prevent

updating of data Challenge: Solve multi-party rights management

problem (good solution meets “any” rights setting) Must address two basic authentication problems:

– Authenticate access requests to record entries– Authenticate record entries themselves

Page 7: Access Management in Critical Information Infrastructures

7

Avoids duplication of passwords by giving users a single password for all resources

Only authenticates access requestor, does not deal with authentication of data entries in records

Liberty Alliance, MS Passport, … A user convenience, not a security solution Highly insecure for managing access to sensitive

information over open networks J. Lewis (CEO of Burton Group): “Single sign-on is a

security compromise waiting to happen”

Not a solution: single sign-on

Page 8: Access Management in Critical Information Infrastructures

8

Secure access management

Security must be tied to the information itself Most secure approach: public key cryptography

– Secret keys never leave confines of their storage device– Avoids key distribution problem of symmetric-key crypto– Offers non-repudiation (digital signatures)

Two fundamentally different public-key approaches:– X.509-style PKI

Identity certificates Attribute certificates (Privilege Management Infrastructure)

– Digital Credentials Seamless hybrid between identity and attribute certificates With security, privacy, scalability & performance benefits

Page 9: Access Management in Critical Information Infrastructures

9

X.509-style PKI

Revolves around the distribution and management of digital identity certificates

Invented in 1978 to facilitate message encryption In line with original goal, X.509 certificates provide:

– Confidentiality of data in transit (through encryption)– User authentication (ensures messages are encrypted

under right public key & prevents man-in-the-middle attack)– Data integrity (prevent tampering with data in transit) – Non-repudiation (proof of sender’s identity)

Access control was never a design requirement (irrelevant for message encryption infrastructure!)

Page 10: Access Management in Critical Information Infrastructures

10

Applying PKI to access control

PKI vendors currently distorting their technology to do access control (encryption is not big market need …)

Their approach:– Individual to provide digital identity certificate to gain access– Certificate serves as strongly authenticated pointer to on-

line databases entries– Access provider to retrieve all data for authorization decision

= Credit card infrastructure on steroids … Authentication for message encryption very different

from access control to sensitive data (unique needs for privacy, security, scalability & performance)

Page 11: Access Management in Critical Information Infrastructures

11

The irony; a historical perspective

Diffie-Hellman invention of asymmetric crypto (1976): – Setting: Encrypted communication over open network– Sender to encrypt message with public key of recipient – To prevent man-in-the-middle attack, on-line & secure

(read-only) database lists “name”– “public key” bindings Kohnfelder’s bachelor’s thesis (1978):

– Database problems: bottleneck & vulnerable to attacks– Identity certificates proposed to address both problems

Irony of digital identity certificates for access control:– Both problems are back with a vengeance– New problems that were irrelevant in original setting

Page 12: Access Management in Critical Information Infrastructures

12

Verifiers must look up all

authorization data themselves

… but all these databases may be in

different trust / administrative

domains …

… not to mention the revocation database, common to everyone

Page 13: Access Management in Critical Information Infrastructures

13

PKI & access control: problems (1)

Non-scalable beyond pre-established trust domains:– Access provider relies on the availability, correctness, and

timeliness of authorization data Poor security:

– Access right cloning and lending: no cryptographic protection– Misuse of online databases by hackers and insiders– Vulnerable to denial-of-service attacks:

Strong reliance on real-time availability of online databases Online certificate status validation

– Increases risk of identity theft: Inescapable system-wide identification Strong reliance on central databases

Page 14: Access Management in Critical Information Infrastructures

14

PKI & access control: problems (2)

Not suitable for use with smartcards:– Cannot use low-cost smartcards:

Storage problem Need crypto co-processor for exponentiations Elliptic-Curve cryptography is only partial solution

– Application provider must place very strong trust in parties involved in smartcard manufacturing, masking, initialization, application loading, and personalization. Attacks:

Overt or covert leakage of secrets and other confidential data Uniqueness, randomness, and secrecy of secret keys?? Fake-terminal attacks Selective “failure” attacks based on dynamic inputs

– Problems worsen for multi-application smartcards

Page 15: Access Management in Critical Information Infrastructures

15

PKI & access control: problems (3)

Managed services are intrusive: – Online Certificate Status Providers able to learn

competitive/sensitive data in real time: Identities of access requestors (and access providers) Peak hours Typically: nature of the transaction Possibly: transaction details

– Certificate Authorities must know the identity and any other attributes that go into the certificates they issue

– Online Certificate Status Providers & Certificate Authorities & on-line database maintainers can disrupt operations on the basis of transaction-specific knowledge in real time

Page 16: Access Management in Critical Information Infrastructures

16

PKI & access control: problems (4)

Privacy-invasive (roots inescapable systemic identification deep into information infrastructure):

– Public keys = strongly authenticated “super-SSNs”: Globally unique identification numbers Inescapably travel along with each and every action taken Obtained by access provider & third parties (providers of

authorization databases & online certificate status verifiers)– Always leave behind undeniable digital evidence of the

requestor’s identity (due to digital signing of nonces)– Problems with data protection legislation, unbridled use of

PKI may be unconstitutional– Access providers & third parties cannot prevent receiving

identifiable data

Page 17: Access Management in Critical Information Infrastructures

17

Bad “solutions” (quick fixes)

Identity certificates that specify a “pseudonym” or a “role” instead of a real name:

– Does not address privacy problems (remember: tracing can be done on the basis of the public keys in certificates)

– May weaken security (accountability, fraud containment, …) Issue different identity certificates for different uses:

– False sense of privacy: like using SSNs, credit card numbers, and health insurance numbers for all actions!

– Damages functionality: creates separate “islands” that cannot communicate (bridge-CAs undo purpose & create new scalability and trust problems)

– Scalability & smartcard inefficiency even worse

Page 18: Access Management in Critical Information Infrastructures

18

Another bad “solution”

Privilege Management infrastructure (PMI): – X.509 attribute certificates specify relevant attribute data– Addresses availability problem, but exacerbates all other

problems: Attribute certificates must be linked to (and sent along with)

base identity certificate to prevent pooling of privileges Even more devastating for privacy (all the attributes within a

certificate must be known to the CA & must be disclosed when showing the certificate)

No mechanisms to prevent discarding, updating-prevention, lending, and cloning

Smartcard inefficiency even worse Must manage and revoke an abundance of certificates

Page 19: Access Management in Critical Information Infrastructures

19

Privacy – a brief digress

“The right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others”

In electronic world: virtually no grey areas between privacy & inescapable systemic identification

Different manifestations for:– Individuals (ROI hard to quantify)– Companies (competitive intelligence, liability issues)– Critical information infrastructures (monitoring threats)

Security safeguards deal with unauthorized outsiders, but most threats come from authorized insiders

Page 20: Access Management in Critical Information Infrastructures

20

1. Collection Limitation

2. Data Quality

3. Purpose Specification

4. Use Limitation

6. Openness

7. Individual Participation

8. Accountability

5. Security safeguards(incl. confidentiality)

Technology can address security without addressing privacy, but may introduce

new security concerns!

OECD FIPs:

Security is NOT privacy

Wolves in sheep’s clothing:• Ubiquitous surveillance cameras • National ID chipcards• PKI for access control• …

Page 21: Access Management in Critical Information Infrastructures

21

Privacy-respecting security

Not so much about anonymity, as about controlling who can learn what as data flows through system

Covers spectrum between mandatory identifiability and the maximum level of privacy afforded (“slider”)

Example: client identifies to access provider, access provider de-identifies non-repudiable transaction evidence for third party (PKI cannot do this!)

Privacy is good for security: – Non-identifiable (unlinkable) records & record access reduce

vulnerability to hackers & (authorized!) insiders– Decentralized approach reduces denial of service attacks

Page 22: Access Management in Critical Information Infrastructures

22

Digital Credentials

Achieve security, privacy & efficiency simultaneously Like digital signatures but much more powerful Three basic uses in access control:

– To authenticate data entries in records– To authenticate pointers to records– For digitally signed audit trails & receipts

“CA” binds attributes to Digital Credential public key:– User can allow CA to learn only an attribute property– User can blind Digital Credential public key & CA’s digital

signature (but not the attributes)– User can selectively disclose attribute property to verifier– User must know all attributes to show certificate

Page 23: Access Management in Critical Information Infrastructures

23

User can “blind” (randomize) the

certificate’s public key…

… and also the signature of the CA …

… but cannot modify the

attributes the CA certifies for him.

User can disclose only the minimal attribute property the Verifier needs

to know … … but needs to know all the attributes in the

certificate to make his own signature with the certificate’s secret key

Page 24: Access Management in Critical Information Infrastructures

24

Page 25: Access Management in Critical Information Infrastructures

25

Page 26: Access Management in Critical Information Infrastructures

26

Digital Credentials properties (1)

Fully adaptable levels of privacy: – Allow anonymous, pseudonymous, and role-based access– Principle of least authority; selective/minimal disclosure– Reverse authentication: data does not meet conditions– Recertification and updating: present Digital Credential

without revealing current attribute values– Dossier-resistance: leave no or partial non-repudiable

transaction evidence to verifier– Credential verifier can selectively discard data before

passing on digital evidence to third party– Reveal no or partial attribute data to Credential Authorities– Smartcard cannot leak sensitive data to outside world

Page 27: Access Management in Critical Information Infrastructures

27

Digital Credentials properties (2)

Security protections:– No pooling of privileges (multiple Digital Credentials can be

shown to contain same built-in identifier without disclosing it)– Lending protection: Embed client-confidential data into Digital

Credential (legitimate owner need never disclose it)– Discarding protection: Lump negative data in base Digital

Credential (e.g., drunk driving mark into driver’s license)– Limited-show credentials: Embedded identifier (or value) will

be exposed if and only if Credential shown too many times– Audit capability:

Digital audit trails & receipts facilitate dispute resolution Non-identified audit trail cannot be disavowed by originator Self-signed fraud confessions for lending and reuse

Page 28: Access Management in Critical Information Infrastructures

28

Digital Credentials properties (3)

Smartcard Implementations: – Manage billions of Credentials using 8-bit smart-card chip (off-

load storage and computational burden to user device)– Application provider can arbitrarily minimize level of trust

placed in smartcard (through application software)– Secure multi-application smartcards:

Different application providers can share same secret key to derive card security

Digital Credentials have uncorrelated secret keys (unknown even to card supplier) and can be revoked separately

Different applications using same smartcard are fire-walled through user software (not card software!)

Leakage of a card’s key does not allow fraud beyond the security functionality the card was supposed to add

Page 29: Access Management in Critical Information Infrastructures

29

Digital Credentials properties (4)

Managed services: – Credential Authorities certify sensitive information without being

able to learn the data– Revocation Authorities can validate certificates without being

able to identify the clients of organizations– Role of tamper-resistant smartcard can be outsourced

Peer-to-peer support: – Individuals can store and manage their own credentials– Unauthorized users cannot modify, discard, lend, pool, or

prevent the updating of information they hold– In the extreme: do away with central databases by securely

distributing all database entries to data subjects– Multi-purpose and multi-application certificates

Page 30: Access Management in Critical Information Infrastructures

30

Digital Credentials: not a whim

Limited implementation experience (but for another application, which never caught on commercially):

– CAFE & OPERA (2 EU SR&ED projects, involving KPN, Gemplus, Siemens & 15 others): e-cash on a smartcard, with field trials from 1996 to 1999

– Zeroknowledge Systems: e-cash on a RIM Blackberry Protocols described in open literature:

– 32 publications since 1993 at major crypto & privacy forums– 315-page MIT Press book with foreword by prof. Ron Rivest

Scrutinized by world’s top cryptographers (Shamir, Rivest, Schnorr, etc.)

Acclaim from security, legal & privacy experts

Page 31: Access Management in Critical Information Infrastructures

31

“an important landmark”Dr. Ronald L. Rivest (Webster Professor of Electrical

Engineering and Computer Science at MIT), August 2000

“minimizing the risks of all the interested actors”Electronic Privacy Information Center & Privacy International, 2001

“a superior alternative to conventional approaches to PKI”Dr. Roger Clarke (consultant in the management of

information and information technology), 2001

“security without sacrificing privacy”Dr. Hal Abelson (Professor at the Artificial

Intelligence Laboratory, MIT), August 2000

“the state of the art”Dr. A. Michael Froomkin (Professor of Law,

University of Miami), August 2000

“shows ways to do digital certificates without giving so much power to the system owner”

Former Chief Privacy Counselor to the Clinton Administration, Dr. Peter Swire, April 2001

Sample acclaim

Page 32: Access Management in Critical Information Infrastructures

32

Credential Management Platform

Leverages Digital Credentials technology A continuum between local and remote records Automated sharing and synchronization of certified

data in accordance with application-specific rules Roaming access to records & access tokens Multiple protocols for gaining access to electronic

records with varying levels of active participation Delegation certificates (limited-time or limited-use) Fine-grained multi-party rights management Optional: encrypt record entries & access requests

Page 33: Access Management in Critical Information Infrastructures

33

Page 34: Access Management in Critical Information Infrastructures

34

Additional Information

Digital Credentials overviews– Non-technical 2-pager:

www.ercim.org/publication/Ercim_News/enw49/brands.html– Semi-technical 40-page overview:

www.credentica.com/technology/overview.pdf– Technical 350-page book with formal security analysis:

www.credentica.com/technology/book.html

CMP architecture overview: ls6-www.informatik.uni-dortmund.de/issi/cred_ws/papers/brands.pdf

[email protected]