Christian Paquin
May 1st, 2007
Identity Management Techniques– CFP 2007 Tutorial –
Copyright © 2007 Credentica Inc. All Rights Reserved.
Copyright © 2007 Credentica Inc. All Rights Reserved.
Contents
1. Identity and access management2. Centralized I&AM3. Federated I&AM4. User-centric I&AM5. Building in privacy
Copyright © 2007 Credentica Inc. All Rights Reserved.
Identity & access management (I&AM)
• What is identity & access management• Who is a user (identity)• What can a user do (roles, claims, assertions,
credentials)• Management of the life-cycle of identity information
(expiration, revocation)
• Goals of I&AM• Improve access to online services (usability)• Reduce costs and improve productivity• Connect more and more systems
• Actors• User (a.k.a. subject)• Identity provider (a.k.a. issuer, authority)• Service provider (a.k.a. relying party, verifier)
Copyright © 2007 Credentica Inc. All Rights Reserved.
Use-case: single sign-on (SSO)
• User authenticates once to access various independent services in one session
Alice
Service A
AccountsService C
Accounts
AuthorityAccount
s
Service B
Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved.
Use-case: data-sharing
• Different independent services can exchange data about a user
Alice
AuthorityAccount
s
Service A
AccountsService C
Accounts
Service B
Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved.
Security & privacy requirements
• Avoid unwanted tracing and linking powers(user profiling)
• By the central party, the services, or both! (collusion)
• Prevent denial-of-service attacks• Avoid bottlenecks, one server down system down
• Prevent impersonation attacks (identity theft)
• By virus, hacker, insider (admin), another user
• Prevent user fraud• Credential transfer (lending, pooling), discarding
Copyright © 2007 Credentica Inc. All Rights Reserved.
Laws of identity (Cameron & Cavoukian)1. User Control and Consent2. Minimal Disclosure3. Justifiable Parties4. Directed Identity5. Pluralism of Operators &
Technologies6. Human Integration7. Consistent Experience across
Contexts
See http://www.identityblog.com/?page_id=354Similar to the Fair Information Principles
Copyright © 2007 Credentica Inc. All Rights Reserved.
What is centralized I&AM
• Identity and authorization data is stored and managed by a central authority
• Services query the central authority to make access decisions or learn attributes
• Pros:• Simple to deploy and administer in a closed
environment
• Cons:• Security and privacy problems in a cross-domain,
multi-jurisdiction setting
• Good for enterprise I&AM (for internal employees) or in a single domain (e.g. bank with its customers)
Copyright © 2007 Credentica Inc. All Rights Reserved.
Enterprise I&AM
• I&AM in an enterprise to manage the identity of its employees
• One server (directory) holds the identity data
• E.g.: LDAP, Kerberos, many many more• What happens when the enterprise’s
boundaries get fuzzy?• External employees• Partners• Contractors
Copyright © 2007 Credentica Inc. All Rights Reserved.
Use-case: Microsoft Passport
• Authentication and data held by Microsoft’s server
• Good for Microsoft’s services (e.g. Hotmail) but not for 3rd parties (e.g. eBay)
Alice
Passport
Accounts Service B
Service A
Copyright © 2007 Credentica Inc. All Rights Reserved.
What is federated I&AM
• Virtual unification of identity systems• Central authority facilitates (in the federation)
• authentication and access to the services• data exchanges between the services
• Many standards: SAML, Liberty Alliance,WS-Federation, Shibboleth
• Liberty Alliance: consortium of organizations that develops interoperable I&AM specifications (many use cases)
• Pros• Bridge between the identity silos• Simplicity for services
• Cons• Central authority sees a lot of information • One secret lost identity theft across federation
Copyright © 2007 Credentica Inc. All Rights Reserved.
Service A
Accounts
Service B
Accounts
Service C
Accounts
Authority
Accounts
Federated identity management (SSO)
Alice
I’m Alice
Who is
this?
Who are
you?
It’s 72985
92
Welcome
7298592
Who is
this?
It’s Alice
It’s 52094
81
Welcome
5209481
Copyright © 2007 Credentica Inc. All Rights Reserved.
Authority
Accounts Service C
Accounts
Service B
Accounts
Service A
Accounts
Federated identity management (SSO)
Alice
5209481
7298592
2856387
Impersonator
Who is
this?
I don’t know
Who is
this?
It’s 72985
92
Welcome
7298592
It’s Alice
Welcome
5209481
Alice
Copyright © 2007 Credentica Inc. All Rights Reserved.
InternetInternet
Citizen
SCNetSCNet
Department
Public web server
PID/MBUN table
SC protected contents
Secure Channel
epass storageGateway
Session management
Log in / registration
MBUN
MBUN
MBUN
MBUN
Use-case: Secure Channel
Copyright © 2007 Credentica Inc. All Rights Reserved.
CitizenUser ID:
Password:
Department Department
Department
SecureChannel
MBUN
MBUN MBUN
DepartmentDepartment
Department Department
chrisp
********
MBUN
Secure Channel SSO
Copyright © 2007 Credentica Inc. All Rights Reserved.
Citizen
SecureChannel
DepartmentDepartment
Department
DepartmentDepartment
Department Department
User ID:
Password:
cpaquin
********
MBUN
MBUNMBUN
MBUN
MBUN
MBUN
Secure Channel SSO
Copyright © 2007 Credentica Inc. All Rights Reserved.
What is user-centric I&AM
• Recent umbrella term for many identity systems/technologies, aiming to
• respect the laws of identity• build on open standards to create an identity meta-
system
• User is in control of the identity data flow• Either initiates or participates in data exchanges
Alice
Service BService A
Identity Provider
Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved.
Windows CardSpace
• Microsoft’s system released with Vista• Built on top of the identity meta-system• Identity “claims” packaged as identity
cards (InfoCards) managed by the user• Managed card: issued by a trusted party• Self-issued card: created by the user, to replace
username/password and form fillers
• Actual data is stored at identity providers (claim tokens are retrieved as needed)
Copyright © 2007 Credentica Inc. All Rights Reserved.
Relying party
Accounts
Identity Provider
Accounts
Windows CardSpace (data sharing)
Alice
Are you over 18?
I’m Alice. Please assert
that I’m over 18
Welcome
Who is this?
It’s Alice
Over 18
Copyright © 2007 Credentica Inc. All Rights Reserved.
Relying party
Accounts
Identity Provider
Accounts
Windows CardSpace (data sharing)
AliceJohn
Are you over 18?
I need to assert
that I’m over 18
I’m John. Please assert
that I’m over 18
Over 18
Welcome
It’s Alice
No I’m not…
Copyright © 2007 Credentica Inc. All Rights Reserved.
OpenID
• An open, decentralized, free framework foruser-centric digital identity
• For authentication• Everyone has an identifier (e.g. URL)• You prove ownership of the URL
• To login:• User types her identifier• Service redirects the user to the OpenID provider• OpenID provider authenticates the User
• Pros:• Simple, free, open• Step up from username/password
• Cons• Low security: trivial phishing identity theft across all
services
• Community works on new version to address security vulnerabilities
Copyright © 2007 Credentica Inc. All Rights Reserved.
OpenID protocol
1. User is presented with OpenID login form by the Consumer
2. User responds with the URL that represents their OpenID
3. Consumer canonicalizes the OpenID URL and uses the canonical version to request (GET) a document from the Identity Server.
4. Identity Server returns the HTML document named by the OpenID URL
5. Consumer inspects the HTML document header for <link/> tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request
6. The OpenID Server returns a login screen. 7. User sends (POST) a login ID and password
to OpenID Server. 8. OpenID Server returns a trust form asking
the User if they want to trust Consumer (identified by URL) with their Identity
9. User POSTs response to OpenID Server. 10. User is redirected to either the success
URL or the failure URL returned in (5) depending on the User response
11. Consumer returns appropriate page to User depending on the action encoded in the URL in (10)
Copyright © 2007 Credentica Inc. All Rights Reserved.
Classic technologies drawbacks
• Usernames/passwords• Low-security• Vulnerable to phishing• Don’t support data sharing
• Kerberos• Traceable and linkable (by issuer’s signature)• Requires online access to the authority• Don’t support cross-domain data sharing
• X.509 certificates• Traceable and linkable (by issuer’s signature)• Only supports data sharing of anticipated claims• Revocation check may involve real-time connection
to issuer
Copyright © 2007 Credentica Inc. All Rights Reserved.
Privacy-enhancing technologies (PET)
• Set of modern cryptographic techniques that enhance/preserve/protect the level of privacy of users when interacting with service and identity providers
• Encompass many technologies: encryption (confidentiality), policy (P3P), anonymous access (onion routing, e.g. Tor)
• Of interests, “data PET”, to prove who you are in a specific context and what are your credentials, while meeting the laws of identity:
1. User Control and Consent2. Minimal Disclosure3. Justifiable Parties4. Directed Identity
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Issuer
Token Service
Service A
Accounts
Token ID Service
Service AName: Alice SmithDOB: 1973/08/24
Name: Alice SmithDOB: 1973/08/24
AliceS
Service A
<Page>
Token ID Service
a9e28b3c74
9b87f3c4dd2 (unlinked)
f88e37ba221 (unlinked)
(unlinked)Service A
SSO revisited
Service C
Accounts
Service B
Accounts
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Service C
Accounts
Issuer
Token Service
Service A
Accounts
Service B
Accounts
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Service BAddress: 1010 SherbrookePostal code: H3A 2R7
Service B
<Page>
SSO revisited
Name: Alice SmithDOB: 1973/08/24
AliceS
Token ID Service
a9e28b3c74 Service A
9b87f3c4dd2 Service B
f88e37ba221 Service C
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Service C
Accounts
Issuer
Token Service
Name: Alice SmithDOB: 1973/08/24
AliceS
Service A
Accounts
Service B
Accounts
Service C
You need to be over 18 to access this service
Service C
Welcome
Service C
<Page>
Data sharing revisited
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Service A
Over 18
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Service C
Accounts
Issuer
Token Service
Service B
Accounts
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Name: Alice SmithDOB: 1973/08/24
AliceS
Service A
Accounts
Service B
Address
Postal code
Service A
Name
DOB
Data sharing revisited
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Service C
Accounts
Issuer
Token Service
Service B
Accounts
Service A
Accounts
Service C
Welcome
Service C
You must be over 18 and from Quebec to access this service.
Service A
Name
DOB
Service B
Address
Postal code
Service A
Name
DOB 18+
Service B
Address
Postal codeproof
Service C
<Page>
Service C
<Page>
Data sharing revisited
Name: Alice SmithDOB: 1973/08/24
AliceS
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith