fido, pki & beyond: where authentication meets identification
TRANSCRIPT
1 15.05.2014
FIDO and PKI: Building a trusted ecosystem for authentification and identification
16th of May, 2014, Munich
Dr. Kim Nguyen, Chief Scientist Security, Technology, Bundesdruckerei GmbH
Managing Director, D-Trust GmbH
FIDO Workshop. Munich, 2014-05-16 2
Agenda
1
• Establishing a trusted ecosystem for FIDO • Mechanisms useful for this (partly derived from the
standard PKI ecosystem)
2 • FIDO and beyond • Adding identification to authentification
3 • Demo • Post Issuance of certificate onto FIDO token
FIDO Workshop. Munich, 2014-05-16 3
FIDO AND PKI?
FIDO is an authentication system based on asymmetric cryptography without the typical PKI directory services on end user level
An ecosystem will be needed to establish trust in FIDO tokens for relying parties nevertheless.
Elements of this ecosystem could be modelled closely after mechanisms successfully established in classical PKI systems
FIDO Workshop. Munich, 2014-05-16 4
Establishing trust -
Four dimensions
FIDO Workshop. Munich, 2014-05-16 5
Establishing Trust
FIDO
Trusted Protocols
Trusted key
storage
Trusted ecosystem
Trusted Personali-
zation
FIDO Workshop. Munich, 2014-05-16 6
Establishing Trust: Trusted protocols
FIDO
Trusted Protocols
Trusted key
storage
Trusted ecosystem
Trusted Personali-
zation
FIDO Workshop. Munich, 2014-05-16 7
Establishing Trust: Trusted protocols
• Protocols are published openly by FIDO Alliance • Widespread adoption is the goal Open
• Thorough review process both from within FIDO as well as from outside experts
Reviewed
• Protocols build on standardized and widely accepted cryptographic primitives and mechanisms
Standardized
FIDO Workshop. Munich, 2014-05-16 8
Establishing Trust: Trusted key storage
FIDO
Trusted Protocols
Trusted key
storage
Trusted ecosystem
Trusted Personali-
zation
FIDO Workshop. Munich, 2014-05-16 9
Establishing Trust: Trusted key storage
• Requirements for key storage will vary according to the criticality of use cases
Specific
• Different use cases will most likely require different trust levels
• Soft token and storage in hardware are both possible
Different Trust levels
• Key handling should take into account best practices, esp. with respect to key generation and storage
• Certification can demonstrate this (e.g. Common Criteria certification of hardware)
Certification
FIDO Workshop. Munich, 2014-05-16 10
Establishing Trust: Trusted personalization
FIDO
Trusted Protocols
Trusted key
storage
Trusted ecosystem
Trusted Personali-
zation
FIDO Workshop. Munich, 2014-05-16 11
Establishing Trust: Trusted personalization
• Personalization of key material into token must guarantee integrity of key material (assertion key)
Integrity
• Key material (assertion keys) must be kept confidential
Confidentiality
• Personalization procedures should be documented
• Review/certification by independent third parties, modeled after common PKI standards
Transparency
FIDO Workshop. Munich, 2014-05-16 12
Establishing Trust: Trusted ecosystem
FIDO
Trusted Protocols
Trusted key
storage
Trusted ecosystem
Trusted Personali-
zation
FIDO Workshop. Munich, 2014-05-16 13
Establishing Trust: Trusted ecosystem
• Availibility of trusted metadata will be necessary to establish trust in FIDO token by relying parties
• Integrity and authenticity of this meta data needs to be secured -> classical PKI topic
Reliability
• Publication of organizational and technical processes for backend mechanisms
• Modelled after already widely accepted scenarios (e.g. SSL / ETSI/ CABF)
Transparency
• Certification is a good way to prove the compliance by independent audit bodies
• Again, widely accepted scenarios already exist in the PKI world (ETSI/CABF/ISO 27001)
Certification
FIDO Workshop. Munich, 2014-05-16 14
FIDO and beyond -
Joining authentication
and identification
FIDO Workshop. Munich, 2014-05-16 15
Authentification and Identification
Classical PKI based mechanisms typically mix elements of authentication and identification
FIDO mechanisms allow a clear differentation between authentication and identification
Positive aspects both for the relying party as well as the user (data protection, provide only the minimum amount of data required)
FIDO Workshop. Munich, 2014-05-16 16
AUTHENTICATION AND IDENTIFICATION WORLDS
Typically, no interaction between these worlds exist
„Proprietary“ authentication systems,
e.g. username/ password, AppleID,
token …
Governmental eID Solutions
With officially verified ID
FIDO Workshop. Munich, 2014-05-16 17
BRIDGING THE WORLDS
„Proprietary“ authentication systems,
e.g. username/ password, AppleID,
token …
Governmental eID Solutions
With officially verified ID
Bridging the world offers advantages for both users and relying parties
FIDO Workshop. Munich, 2014-05-16 18
Layered Authentication/Identification model for FIDO and PKI
u2f: Token only
uaf: Token + PIN/Biometrics
PKI: Token + Certificate
PKI …
Recognition w/o identification
Recognition with user consent but w/o
identification
Recognition , user consent,
identification
Different levels of identification possible
…
Asce
ndin
g le
vel o
f co
mpl
exity
Asce
ndin
g le
vel o
f id
entif
icat
ion
FIDO Workshop. Munich, 2014-05-16 19
THE SOLUTION: THE TOKEN
FIDO enabled
PKI enabled
One token – Two worlds
FIDO Workshop. Munich, 2014-05-16 20
THE SOLUTION: THE TOKEN
CC Certified chip hardware and chip operating system (CC EAL4+)
FIDO ready certified application, PKI application pre-installed
PKI application certified according to European standards for Secure signature creation devices
FIDO Workshop. Munich, 2014-05-16 21
USE CASES
Authentication using FIDO
Post issuance
of PKI cert
PKI based Signing/
Encryption
Authentication
Identification
FIDO Workshop. Munich, 2014-05-16 22
TWO INTERESTING MIGRATION SCENARIOS
Move an existing PKI ecosystem to a PKI+FIDO ecosystem
Move an existing FIDO ecosystem to a FIDO+PKI ecosystem
FIDO Workshop. Munich, 2014-05-16 23
SUMMARY
FIDO offers a new userfriendly approach to authentication – FIDO is the future
Trust in FIDO mechanism will rely both on trust into the token as well as in the ecosystem
FIDO can be combined easily with (PKI based) identification mechanisms – bridging two worlds
FIDO Workshop. Munich, 2014-05-16 24
Thank you very much for your attention!
DEMO to follow …