Upload
honey
View
31
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Avoco Secure. The I-Card Cloud Selector CloudCard. What you will see today. An introduction to Avoco’s fully Cloud based I-Card Selector, CloudCard A demonstration of the logon process using the Cloud selector and a shared secret A demonstration of the extended use of Information Cards: - PowerPoint PPT Presentation
Citation preview
Avoco SecureThe I-Card Cloud Selector
CloudCard
An introduction to Avoco’s fully Cloud based I-Card Selector, CloudCard
A demonstration of the logon process using the Cloud selector and a shared secret
A demonstration of the extended use of Information Cards:◦ Digital signing in the Cloud using Information
Cards◦ Access control of documents using Information
Cards
What you will see today
A fully Cloud based Information Card selector A leap forward in Information Card usability Bypasses the world of Windows desktops Designed to have similar functionality to
Windows CardSpace, e.g.◦ Personal cards can be created◦ Cards can be imported◦ Cards can be backed up◦ Works with standard and auditing cards – not yet
tested with others e.g. Relationship and Signalling cards
◦ Like CardSpace, token encryption is left to IdP for auditing cards
CloudCard: What is it?
Usability benefits include:◦ Universal access to your Information Cards◦ True zero footprint for end users – no plug-ins,
ActiveX, downloads, etc.◦ Access from normal desktops/laptops as well as
phones/mobile devices
◦ Test Implementation Site: https://www.secure2cardspace.com - currently password username only into CloudCard portal but can be almost anything
Why Bother?
Extensibility: Modular design permits simple use of alternative login protocols, etc.
Portability: Written in PHP ∴ easy to port to other languages such as Java (if needed)
Security: Incorporates anti-phishing technology through shared-secret log in control
Security: SSL - MITM attacks less feasible Standards: HTML spec to be submitted as
standard
Nitty Gritty
CloudCard called as a post from RP web page:
<a href="https://www.secure2cardspace.com/CloudCardA/CardView.php?ampIssuer=www.secure2cardspace.com&RequiredClaims=http....
Link specifies entry point to selector, required card issuer, claims, etc., like calling a desktop selector.
Additionally certificate of RP is included.
RP Use of CloudCard
Used to provide anti-phishing of the I-Card web service account
User chooses a photo before logging into their account
If correct photo displayed, user can log in knowing the site is genuine
A photo always presented to prevent guessing username
More on using photos as a shared secret
Sir Henry No-Tail
What’s to stop Phisher from Relaying? 1. Generate phishing page
2. Username submitted
CS Backend
5. Correct image set in fake password entry page
Phishing server (PS)
3. PS submits username to CS backend
4. PS gets image from response
Session key with real site 1. Create page and setup session key
2. Username submittedwith session key data
CS Backend
3. Valid Session key: Image returned
Session key with Phishing Site1. Generate phishing page
2. Username submitted
CS Backend
5. Cannot set correct image
Phishing server (PS)
3. PS submits username to CS backend (invalid session key)
4. No response
No protection against desktop Trojan / virus (but then entire system is potentially compromised including desktop selector)
Weaknesses
Use your preferred login scheme e.g. OpenID.
If you don’t like this...
Face recognition and recognition of familiar objects is part of an acquired evolutionary trait that helps us survive
We are good at it We place trust in our ability to use face recognition
and object recognition We use processes of cheat recognition all the time,
everyday, to interact with others An identity system must mesh real world me with
digital me We must use existing human traits when designing
the system
Human Beings, Digital Identity and Pictures of Familiar Things
If you’re interested in the research into cheat recognition and similar:
Cartwright, J 2000. Evolution & Human Behaviour. Palgrave
Daly, M & Wilson, MI 1999. Human evolutionary psychology and animal behaviour
Cosmides, L and Tooby, University of California at Santa Barbarahttp://www.psych.ucsb.edu/research/cep/primer.html
http://www.psych.ucsb.edu/research/cep/papers/TOMbroadnarrow.pdf
Further Reading
The Avoco Cloud Selector is modular, so◦ Can choose to use a myriad of authentication
techniques – this presentation shows one Important not to forget the big picture:
◦ Usability – for a consumer as well as business audience
◦ Represents the real world me in a familiar way I am me because of these reasons (claims)…
◦ Can be used not just for logging into web sites Identity is more than just access control
Authentication, Authentication or a Bigger Picture
Authentication:◦ Digital certificate◦ OpenID◦ LiveID
Card authentication specified by RP◦ e.g. only a card backed by X509 can be selected
Seamless upload of cards from IdP to Selector – transparent management for users
Current Developments
A system for issuing OpenID’s with an Information Card
Links the two ID system – best of both worlds
OpenID attributes can be set as a Information Card Claim
Information card can be authenticated by that OpenID
OpenID linked to the extended claims system of the Information Card
Best of each to create a symbiotic ID system
Futures: Information cards and OpenID: SymbioticID (SymID)
Requires additional HTML / JavaScript◦ Recommended for web pages to allow user
to select a Cloud Selector and Desktop Selector where appropriate / available.
How are multiple Selectors to be addressed?◦ Preconfigured to a single Selector◦ Preconfigured dropdown list◦ Dynamic list populated from discovery
service.
Cloud Selectors: Adoption:
Extending the Uses of Information Cards
Digital Signing in the Cloud
Digital certificates are user-unfriendly and unpopular
People don’t like to install software, including browser plug-ins
Current solutions for signing on-line forms are open to denial of signing caused by only including form text in signature
Therefore, to encourage digital signing, these issues must be addressed
Why aren’t we all digitally signing?
Avoco Secure have developed first truly Cloud based digital signing
Can be used on:◦ On any operating system◦ Using any browser ◦ From desktops, laptops, mobile devices, phones and
so on Signing does not require user to have X509,
but standard PKCS#7 signature produced. Nothing to install – fully Cloud based. Non-repudiation addressed.
Signing in the Cloud
Always a problem to identify the signer Avoco – generate repeatable RSA key pair
from ID info e.g.◦ Information Card claims◦ OpenID attributes◦ ATM Card numbers◦ Passwords◦ etc., etc.◦ Exact data specified by host
Key pair -> transient X509 used to sign with Cert and key pair destroyed after signing
Digital Signing and Identity
Image of the completed form incorporated into the digital signature
Non-Repudiation of Signature
Incorporates timestamp (RFC3161) Emails signature to user Signature verifiable by common tools as
well as Avoco on-line verifier
Other
Demo of CloudCard with Cloud Signing Demo
Extending the Uses of Information Card
Controlling Access and Applying Usage Policies to Documents and Emails
Controlling access to documents, emails using Identity Information from Information Cards◦ secure2trust◦ secure2email◦ secure2access
Claims used to:◦ Control document and email access◦ Apply usage policies, post access
Done in a content centric manner Security is persistent across perimeters
And there’s more…
Demo of document access control and policy application
Thanks for your timeSusan Morrow
Head of Product DevelopmentAvoco Secure