identity systems - cfp.mit.educfp.mit.edu/events/apr2010/fenton identity systems 100415.pdf ·...
TRANSCRIPT
Jim Fenton
Identity Systems
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 2
“Defining identity is like nailing Jell-O® to the wall.”
– Source Uncertain
Flickr photo by stevendepolo
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 3 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 3
Terminology
!!Subject
The person (usually) whose identity is involved
Sometimes called the User
!!Relying Party
The entity the Subject is interacting with
Sometimes called the Service Provider
!!Attribute
A piece of information about the Subject
Sometimes called a Claim
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 4 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 4
A Basic Identity System
Identity
Provider
Government
Commerce
Social Media
Authentication Request
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 5 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 5
A Basic Identity System
Identity
Provider
Government
Commerce
Social Media
User Authentication
User Credentials
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 6 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 6
A Basic Identity System
Identity
Provider
Government
Commerce
Social Media
Authorize Info Release
Attribute Request/ Response
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 7 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 7
Elements of Identity Management
Percent
Authentication Establish who the Subject is
Credential Management Prove to Relying Parties
who the Subject is
Attribute Management Provide information about
the Subject
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 8 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 8
User Trust
!!User trust in their Identity Provider is fundamental
Not all users trust any one entity
Most likely to trust entities they do business with and strong, trusted brands
Different trusted entities in different cultures
!!An ecosystem of identity providers is required
Users need to choose their own identity provider
Need to consider ability to migrate to a different provider if required
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 9 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 9
Authentication
Flic
kr
photo
by s
hannonpatr
ick17
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 10 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 10
Authentication Methods
!!Methods useful for user authentication are situation-specific
Type of endpoint being used
Required authentication strength (transaction value, etc.)
!!Problem: Many existing identity systems are bound tightly to specific authentication methods
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 11 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 11
Authentication Strength
!!Authentication strength should depend on transaction value
iTunes purchase (99 cents) vs. vehicle purchase
!!NIST Special Pub 800-63 defines 4 levels:
Level 1: Minimal challenge/response
Level 2: Single-factor identity proofing
Level 3: Multi-factor identity proofing
Level 4: Hardened multi-factor
!!Relying party specifies the required strength to the identity management system
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 12 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 12
Authentication Endpoint Diversity
!! The Web is pervasive, but not everything is a browser
!!Examples
Vending Machines
Set-top boxes
Doors (physical security)
!!Modular approaches to authentication needed to consider a wide range of use cases
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 13 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 13
Security Opportunities
!!Users that authenticate frequently at a given service are more likely to detect anomalies
More likely to be suspicious about, for example, lack of a certificate
Browsers can be configured to specially flag “chosen” identity providers
!! Identity providers can detect anomalous user behavior
Similar to detection of fraudulent credit card transactions
Business/policy framework should encourage this
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 14 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 14
Credential Management
Imagery supplied by Photodisc/Getty Images
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 15 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 15
Credential Management: Functions
!!Act as a “key cabinet” for the user
Each relying party has its own credentials
!!Support Directed Identity
Prevent undesired release of correlation handles
Identifiers to Relying Parties are opaque by default
!!Enforce secure use of credentials
Require use of secure channel (e.g., SSL)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 16 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 16
Directed Identity
!! It should not necessarily be possible for different Relying Parties to correlate identifiers
Insurance company vs. supermarket account
Pseudonymous identifiers for tip hotlines
!!Users may still choose to link relying parties’ identifiers
!!Attributes may also provide correlation handles
!!Credential manager can be subpoenaed if appropriate
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 17 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 17
Security and Availability Issues
!!Security
The credential store is a very high-value target
Credentials can be distributed to diffuse attack
High-level physical security is also required
!!Availability
Failure of an Identity Manager may have severe impact on its Subjects
Solvable problem, but needs to be addressed
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 18 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 18
Attribute Management
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 19 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 19
Distributed Attributes
!!Self-asserted attributes have limited utility
!!Authoritative sources for different attributes come from different places
FICO scores from a credit bureau
Driving record from state Motor Vehicle Department
Proof of employment from employer
!! Identity system has a role in locating trustable sources of attributes
!!Attributes delivered as signed assertions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 20 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 20
Attribute Distribution: Example
Identity
Provider Birthdate Request Authorization
Request
Healthcare
Provider
Motor Vehicle
Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 21 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 21
Attribute Distribution: Example
Identity
Provider Trust Negotiation Release
Authorization
Healthcare
Provider
Motor Vehicle
Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 22 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 22
Attribute Distribution: Example
Identity
Provider
Birthdate Request
Healthcare
Provider
Motor Vehicle
Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 23 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 23
Attribute Distribution: Example
Identity
Provider 4 July 1976
–DMV
Healthcare
Provider
Motor Vehicle
Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 24 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 24
Attribute Trust
!! Federation: Prearranged trust relationships
Personnel Security Clearances among Federal agencies
Business partners
!!Accreditation: Indirect federation
Financial institutions, schools
Scales much better than direct federation
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 25 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 25
Identity Provider Trust
!! Identity Provider has a fiduciary responsibility
!! To the Subject:
Must use credentials only for the proper Subject
!! To Relying Parties:
Must associate attribute requests and responses reliably
!! Identity Provider may coincidentally function as an Attribute Provider
Functions should be considered separate to maintain privacy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 26 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 26
Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 27 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 27
Observations
!!Scaling is critical
Technical (protocol) aspects of scaling are a solved problem
Scaling of trust relationships is the real limitation
!!Chosen technologies need to consider a very wide range of use cases
!!An ecosystem of identity and attribute providers is needed
Need business models for these functions
Public policy should encourage constructive behavior and help these entities manage liability exposure
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 28 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 28
Questions
