Download - Secure Authentication and Attribute Sharing in Federated Identity Scenarios

Secure Authentication and Attribute Sharing in Federated Identity ScenariosMoritz Platt 17 October 2014

Agenda

Introduction▼

Federated Identity Management▼

Secure Authentication▼

Identity Assurance ▼

Implementation

Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 2

Introduction > Federated ID Management > Secure Authentication > ID Assurance > Implementation

Introduction

•Bachelor’s Thesis at TU Berlin in the field of Business Informatics• Supervised by Institut für Telekommunikationssysteme1, Fachgebiet

Offene Kommunikationssysteme2

• Supported by Bundesdruckerei

Research Questions•How does a federated identity management system have to be designed to

be attractive to end users and service providers?•What are the security risks resulting from the use of identity management

systems? How can they be diminished?•How can a secure identity management system be implemented techni-

cally?

1 Institute for Telecommunications2 Department of Open Communication Systems


Federated IdentityManagement


The Federated Identity Management Landscape

Individual User

Service Providers Identity Providers

Identity Bearing Documents

IdentityIntermediary

SecurityConvenience

Assurance

Proof

Assurance

Assurance

SecurityConvenience



FIM Assists Users and Service Providers

• Federated ID Management (FIM) is not an end in itself•Different parties are involved in the FIM process:•Users: individual users of web services• Service Providers, e.g. e-commerce or e-government web applications• Identity Providers, e.g. government entities, institutional providers

•Main goal: Improve processes for users and service providers• Increasing security for users•Providing a convenient/usable interface for users•Providing identity attributes of assured quality to service providers

• Identity attributes are stored centrally with the Identity Intermediary•Users and service providers access the Identity Intermediary to access

identity attributes



Users Decide Which Data to Share Case-Dependent

•Authentication must be secure to minimize the risk of identity theft More on that later

• Identity attributes shared must be reliable More on that later

•Unauthorized sharing of a users data must be prevented More on that later

•A user has to have full control about how his data is used•Users have to give clear consent to share data•An access mandate by a user has to be• Limited in time• Limited in scope (e.g. limited to a defined set of attributes)• Limited in audience (e.g. only for a certain service provider)


Secure Authentication


Identity Crimes Are on the Rise

• Spectacular Cases•2012 Attack on LinkedIn leads to 6.46 M hashed

user name/password combinations being leaked [Whittaker, 2012]

•2013 Attack on Adobe Systems leads to 38 M user accounts being leaked [Perlroth, 2013]

•2014 1.2 B user name/password combinations stolen by a russian crime ring [Perlroth and Gelles, 2014]

• In 2012, approximately 7% of all U.S. residents age 16 or older were vic-tims of identity theft [Harrell and Langton, 2013]



Identity Crimes Are on the Rise

• The U.S. Federal Trade Commission registers complaints about identity theft concerning credit cards, checking or savings accounts, government documents, internet accounts, etc.

• The number of cases is rising continuously[Federal Trade Commission, 2014]

500,000

1,500,000

2,500,000

20132010200720042001



Password Authentication Provides Low Security

•An overwhelming majority of online services use user name/password au-thentication

• Low security due to vulnerability to various forms of attacks:•Non-Technical Attacks•Observation while entering a password• Educated guessing of a password• Educated guessing of password recovery information•Abuse of leaked password information•Phishing

• Technical attacks•Brute force guessing•Dictionary based guessing•Compromising a user’s system (Key logging, Traffic Logging)•Compromising communication channels (“Man-in-the-Middle”)•Obtaining passwords/password hashes by hacking



Password Authentication Provides Low Usability but Excel-lent Deployability

•Additional to security problems, passwords have low usability [Bonneau et al., 2012]

•High memorywise effort (passwords need to be remembered)•High physical effort (passwords need to be typed)• Scalability for users (more passwords increase the memorywise effort)

• This also leads to insecure user behaviour (simplistic passwords, pass-word reuse, etc.)

•Why are passwords still enduringly successful?•Due to excellent deployability [Bonneau et al., 2012]

•High Accessibility•Negligible-Cost-per-User• Server-Compatible•Browser-Compatible•Mature•Non-Proprietary



Overcoming Passwords: Knowledge and Posession

• There were many attemps to supersede passwords with more secure technology

•Many are based on hardware devices•Many lacked industry support, open standards or vendor independence•A new emerging standard is FIDO U2F• Supported by an industry consortium (ARM, Google, Mas-

tercard, Microsoft, VISA, etc.)•Requires USB/NFC enabled hardware (e.g. Yubico

YubiKey NEO) with compact design• Low-level (ADPU) and high-level (Java-

Script) APIs• Simple challenge/response logic based

on SHA signatures for authentication•Hardware is not commercially available yet•Most promising approach to overcome passwords



Hardware Authentication Increases Security

Passwords FIDO HardwareResilient-to-Physical-Observation

Resilient-to-Targeted-Impersonation

Resilient-to-Guessing

Resilient-to-Internal-Observation

Resilient-to-Leaks-from-Other-Verifiers

Resilient-to-Phishing

Resilient-to-Theft

Requiring-Explicit-Consent

[Bonneau et al., 2012]

•A combination of hardware authentication and passwords (“second factor”) increases security


Identity Assurance


Components of an Assured Digital Identity

Attribute Name Attribute Value LOA

First Name Oliver High

Last Name Jones High

Address Station Road 7 High

Post Code M6 5WG High

City Salford High

E-Mail Address [email protected] Medium

Website www.example.org Low

•Digital identites consist of attributes and their values

• Identity attributes can be more or less reliable/trustworthy

• The ISO standard for “Identity proof-ing“ [ISO/IEC WD 29003] defines four levels of assurance (“LOA”):• Low (Little or no confidence in

the claimed or asserted identity)•Medium (Some confidence in the claimed or asserted identity)•High (High confidence in the claimed or asserted identity)•Very High (Very high confidence in the claimed or asserted identity)



Identity Providers Certify User Data

• The responsibility of an Identity Provider is to assess the level of assur-ance realistically and provide this assessment to the Identity Intermediary

• The obtained data is then stored and disributed by the Identity Intermediary

• The Identity Intermediary is agnostic to the way verification is done by an identity provider

• There are many ways to obtain high confidence attributes:•Direct transmission of government information (e.g. residential register

data)•Public card readers for electronic ID documents (e.g. provided by mu-

nicipal administration)•Review of ID documents (e.g. verification of driving licence) by quali-

fied staff•Re-use of attributes in an existing business relationship (e.g. payment

data)


Implementation


Recap — The Federated Identity Management Landscape

Individual User

Service Providers Identity Providers

IdentityIntermediary

REST API

REST API

OAuth 2.0 UI



System Overview

User Interfaces/User DevicesServer Subsystems

(A.1) Identity IntermediaryReference Implementation(de.mplatt.idi)

(A.2) Apache Oltu(org.apache.oltu)

(A.3) Hibernate PersistenceFramework(org.hibernate)

(A.4) Java RESTful WebserviceInterfaces(javax.ws.rs)

(B) PostgreSQL Database Server

(A) Tomcat Application Server (D) Identity Intermediary Manage-ment Reference Implementation

(E) YubiKey NEO FIDO Token



User Interface

• Service providers request data from users through OAuth 2.0 requests•Users are then redirected to the authentication page

https://localhost:8080/idi/auth?client_id=ec3ec0e5-d6b9-472c-a611-1b87f301bfdc&response_type=code&scope=read:firstname%20read:date

IDIIdentity Intermediary Sign-In

The service provider Smith’s Bikes is requesting one-time access to your personal data stored by the Identity Intermediary Service.

The service provider requests the following attributes:

• E-Mail Address • Last Name • First Name • Address of Residence

Do you want to share these personal attributes with Smith’s Bikes? You will have the chance to review the attributes before making your final decision.

Yes. Review these attributes.No. Cancel Sign In.



User Interface

•Users then log on•Authorization requires a local device (“FIDO” token) and a password

https://localhost:8080/idi/confirm

IDIIntermediary Sign-In

To share data with Smith’s Bikes please perform FIDO multi-factor authentication.

Authenticate with your local deviceThe authentication process can be performed in various ways depending on the vendor of the FIDO token used. Authentication normally takes place via USB or wirelessly.

Enter your IDI password

Password Submit



User Interface

•Users then have the chance to review the attributes shared•Data can be concealed on a per-attribute basis

https://localhost:8080/idi/review

IDIIdentity Intermediary Sign-In

Please review the data you are going to share with Smith’s Bikes:

E-Mail Address [email protected] Last Name Jones First Name Oliver Address of Residence Station Road 7, Salford M6 5WG

Do you want to share these personal attributes with Smith’s Bikes?

Yes. Share these attributes.No. Cancel Sign In.



Data Encryption

•Confirmed attributes will be encrypted for the requesting service provider based on a public key provided

• The data for a service provider can only be decrypted with his private key

I U S1 S2

I U S1 S2

I U S1 S2

I U S1 S2 I U S1 S2

I U S1 S2

RB RA1 RA2

A1

A2

A3

•Realised through a combination of multiple cryptographical methods on the server side and client side (W3C Web Cryptography API)


Conclusion


The implementation is a step in the right direction

• The implementation shows that the concept works, but …•… there is a trade-off between security and usability.•… FIDO U2F specifications are still in a maturing phase.•… FIDO U2F tokens only provide signature capabilities (no advanced

cryptographic functions).

• Still, the combination of Federated IDM + FIDO U2F has great potential

• Success depends on a network of service providers/identity providers and high market penetration of FIDO U2F tokens


Discussion

Appendix

BibliographyBonneau, J., Herley, C., Oorschot, P. C. v. and Stajano, F.

The quest to replace passwords: A framework for comparative evaluation of Web authentication schemesUniversity of Cambridge, Computer Laboratory, 2012 (UCAM-CL-TR-817)

Federal Trade CommissionConsumer Sentinel Network Data Book for January - December 2013Federal Trade Commission, 2014

Harrell, E. and Langton, L.Victims of Identity Theft, 2012U.S.DepartmentofJustice,OfficeofJusticePrograms,BureauofJusticeStatistics,2013(NCJ243779)

ISO/IECInformation technology – Security techniques – Identity proofingInternational Organization for Standardization, 2012 (WD 29003)

Perlroth, N.Adobe Hacking Attack Was Bigger Than Previously Thoughthttp://bits.blogs.nytimes.com/2013/10/29/adobe-online-attack-was-bigger-than-previously-thought2013

Perlroth, N. and Gelles, D.Russian Hackers Amass Over a Billion Internet Passwordshttp://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html2014

Appendix


Illustration CreditIcons

Page 5, 19:Business by Thomas Helbig from The Noun ProjectPassport by Hunor Csaszar from The Noun ProjectIdentificationbyStefanSpielerfromTheNounProjectshop by Christian Wad from The Noun Projectinstitution by Christian Wad from The Noun ProjectCloud by matthew hall from The Noun Project

Page 8:Keys by Joe Harrison from The Noun Project

Page 15:IdentificationbyStefanSpielerfromTheNounProject

Page 20:USB Flash Drive by Michael Rowe from The Noun ProjectComputer by Océan Bussard from The Noun ProjectWebsite by Mister Pixel from The Noun Project

Page 25:Adventure by Ben Markoch from The Noun Project

Page 27:Icon by buzzyrobot from The Noun Project

PhotographyPage 1:

“Antique Keys” by Simon Greig is licensed under a Attribution-NonCommercial-ShareAlike 2.0 Generic license. Based on a work athttps://www.flickr.com/photos/xrrr/3892883749.Toviewacopyofthislicense,visithttps://creativecommons.org/licenses/by-nc-sa/2.0/legalcode.

Page 13:“YubiKey NEO on Keychain” from http://www.yubico.com/press/images/. Used in accordance with the usage policy available online 2014-09-20.

Appendix


https://www.flickr.com/photos/xrrr/3892883749

http://www.yubico.com/press/images/

Download - Secure Authentication and Attribute Sharing in Federated Identity Scenarios

Top Related