Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved

Christian Paquin

May 1st, 2007

Identity Management Techniques– CFP 2007 Tutorial –

Copyright © 2007 Credentica Inc. All Rights Reserved.


Contents

1. Identity and access management2. Centralized I&AM3. Federated I&AM4. User-centric I&AM5. Building in privacy


Part I:Identity &

Access Management


Identity & access management (I&AM)

• What is identity & access management• Who is a user (identity)• What can a user do (roles, claims, assertions,

credentials)• Management of the life-cycle of identity information

(expiration, revocation)

• Goals of I&AM• Improve access to online services (usability)• Reduce costs and improve productivity• Connect more and more systems

• Actors• User (a.k.a. subject)• Identity provider (a.k.a. issuer, authority)• Service provider (a.k.a. relying party, verifier)


Use-case: single sign-on (SSO)

• User authenticates once to access various independent services in one session

Alice

Service A

AccountsService C

Accounts

AuthorityAccount

s

Service B

Accounts


Use-case: data-sharing

• Different independent services can exchange data about a user

Alice

AuthorityAccount

s

Service A

AccountsService C

Accounts

Service B

Accounts


Security & privacy requirements

• Avoid unwanted tracing and linking powers(user profiling)

• By the central party, the services, or both! (collusion)

• Prevent denial-of-service attacks• Avoid bottlenecks, one server down system down

• Prevent impersonation attacks (identity theft)

• By virus, hacker, insider (admin), another user

• Prevent user fraud• Credential transfer (lending, pooling), discarding


Laws of identity (Cameron & Cavoukian)1. User Control and Consent2. Minimal Disclosure3. Justifiable Parties4. Directed Identity5. Pluralism of Operators &

Technologies6. Human Integration7. Consistent Experience across

Contexts

See http://www.identityblog.com/?page_id=354Similar to the Fair Information Principles


Part II:Centralized

I&AM


What is centralized I&AM

• Identity and authorization data is stored and managed by a central authority

• Services query the central authority to make access decisions or learn attributes

• Pros:• Simple to deploy and administer in a closed

environment

• Cons:• Security and privacy problems in a cross-domain,

multi-jurisdiction setting

• Good for enterprise I&AM (for internal employees) or in a single domain (e.g. bank with its customers)


Enterprise I&AM

• I&AM in an enterprise to manage the identity of its employees

• One server (directory) holds the identity data

• E.g.: LDAP, Kerberos, many many more• What happens when the enterprise’s

boundaries get fuzzy?• External employees• Partners• Contractors


Use-case: Microsoft Passport

• Authentication and data held by Microsoft’s server

• Good for Microsoft’s services (e.g. Hotmail) but not for 3rd parties (e.g. eBay)

Alice

Passport

Accounts Service B

Service A


Part III:Federated

I&AM


What is federated I&AM

• Virtual unification of identity systems• Central authority facilitates (in the federation)

• authentication and access to the services• data exchanges between the services

• Many standards: SAML, Liberty Alliance,WS-Federation, Shibboleth

• Liberty Alliance: consortium of organizations that develops interoperable I&AM specifications (many use cases)

• Pros• Bridge between the identity silos• Simplicity for services

• Cons• Central authority sees a lot of information • One secret lost identity theft across federation


Service A

Accounts

Service B

Accounts

Service C

Accounts

Authority

Accounts

Federated identity management (SSO)

Alice

I’m Alice

Who is

this?

Who are

you?

It’s 72985

92

Welcome

7298592

Who is

this?

It’s Alice

It’s 52094

81

Welcome

5209481


Authority

Accounts Service C

Accounts

Service B

Accounts

Service A

Accounts

Federated identity management (SSO)

Alice

5209481

7298592

2856387

Impersonator

Who is

this?

I don’t know

Who is

this?

It’s 72985

92

Welcome

7298592

It’s Alice

Welcome

5209481

Alice


InternetInternet

Citizen

SCNetSCNet

Department

Public web server

PID/MBUN table

SC protected contents

Secure Channel

epass storageGateway

Session management

Log in / registration

MBUN

MBUN

MBUN

MBUN

Use-case: Secure Channel


CitizenUser ID:

Password:

Department Department

Department

SecureChannel

MBUN

MBUN MBUN

DepartmentDepartment


chrisp

********

MBUN

Secure Channel SSO


Citizen

SecureChannel


Department



User ID:

Password:

cpaquin

********

MBUN

MBUNMBUN

MBUN

MBUN

MBUN

Secure Channel SSO


Part IV:User-Centric

I&AM


What is user-centric I&AM

• Recent umbrella term for many identity systems/technologies, aiming to

• respect the laws of identity• build on open standards to create an identity meta-

system

• User is in control of the identity data flow• Either initiates or participates in data exchanges

Alice

Service BService A

Identity Provider

Accounts


Windows CardSpace

• Microsoft’s system released with Vista• Built on top of the identity meta-system• Identity “claims” packaged as identity

cards (InfoCards) managed by the user• Managed card: issued by a trusted party• Self-issued card: created by the user, to replace

username/password and form fillers

• Actual data is stored at identity providers (claim tokens are retrieved as needed)


Relying party

Accounts

Identity Provider

Accounts

Windows CardSpace (data sharing)

Alice

Are you over 18?

I’m Alice. Please assert

that I’m over 18

Welcome

Who is this?

It’s Alice

Over 18


Relying party

Accounts

Identity Provider

Accounts

Windows CardSpace (data sharing)

AliceJohn

Are you over 18?

I need to assert

that I’m over 18

I’m John. Please assert

that I’m over 18

Over 18

Welcome

It’s Alice

No I’m not…


OpenID

• An open, decentralized, free framework foruser-centric digital identity

• For authentication• Everyone has an identifier (e.g. URL)• You prove ownership of the URL

• To login:• User types her identifier• Service redirects the user to the OpenID provider• OpenID provider authenticates the User

• Pros:• Simple, free, open• Step up from username/password

• Cons• Low security: trivial phishing identity theft across all

services

• Community works on new version to address security vulnerabilities


OpenID protocol

1. User is presented with OpenID login form by the Consumer

2. User responds with the URL that represents their OpenID

3. Consumer canonicalizes the OpenID URL and uses the canonical version to request (GET) a document from the Identity Server.

4. Identity Server returns the HTML document named by the OpenID URL

5. Consumer inspects the HTML document header for <link/> tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request

6. The OpenID Server returns a login screen. 7. User sends (POST) a login ID and password

to OpenID Server. 8. OpenID Server returns a trust form asking

the User if they want to trust Consumer (identified by URL) with their Identity

9. User POSTs response to OpenID Server. 10. User is redirected to either the success

URL or the failure URL returned in (5) depending on the User response

11. Consumer returns appropriate page to User depending on the action encoded in the URL in (10)


Part V:Building in

Privacy


Classic technologies drawbacks

• Usernames/passwords• Low-security• Vulnerable to phishing• Don’t support data sharing

• Kerberos• Traceable and linkable (by issuer’s signature)• Requires online access to the authority• Don’t support cross-domain data sharing

• X.509 certificates• Traceable and linkable (by issuer’s signature)• Only supports data sharing of anticipated claims• Revocation check may involve real-time connection

to issuer


Privacy-enhancing technologies (PET)

• Set of modern cryptographic techniques that enhance/preserve/protect the level of privacy of users when interacting with service and identity providers

• Encompass many technologies: encryption (confidentiality), policy (P3P), anonymous access (onion routing, e.g. Tor)

• Of interests, “data PET”, to prove who you are in a specific context and what are your credentials, while meeting the laws of identity:

1. User Control and Consent2. Minimal Disclosure3. Justifiable Parties4. Directed Identity


PET features

Alice

Issuer Verifier

?


Alice

Issuer

Token Service

Service A

Accounts

Token ID Service

Service AName: Alice SmithDOB: 1973/08/24

Name: Alice SmithDOB: 1973/08/24

AliceS

Service A

<Page>

Token ID Service

a9e28b3c74

9b87f3c4dd2 (unlinked)

f88e37ba221 (unlinked)

(unlinked)Service A

SSO revisited

Service C

Accounts

Service B

Accounts


Alice

Service C

Accounts

Issuer

Token Service

Service A

Accounts

Service B

Accounts

Address: 1010 SherbrookePostal code: H3A 2R7

ASmith

Service BAddress: 1010 SherbrookePostal code: H3A 2R7

Service B

<Page>

SSO revisited


AliceS

Token ID Service

a9e28b3c74 Service A

9b87f3c4dd2 Service B

f88e37ba221 Service C


Alice

Service C

Accounts

Issuer

Token Service


AliceS

Service A

Accounts

Service B

Accounts

Service C

You need to be over 18 to access this service

Service C

Welcome

Service C

<Page>

Data sharing revisited


ASmith

Service A

Over 18


Alice

Service C

Accounts

Issuer

Token Service

Service B

Accounts


ASmith


AliceS

Service A

Accounts

Service B

Address

Postal code

Service A

Name

DOB



Alice

Service C

Accounts

Issuer

Token Service

Service B

Accounts

Service A

Accounts

Service C

Welcome

Service C

You must be over 18 and from Quebec to access this service.

Service A

Name

DOB

Service B

Address

Postal code

Service A

Name

DOB 18+

Service B

Address

Postal codeproof

Service C

<Page>

Service C

<Page>



AliceS


ASmith

Documents

Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved