identity management hoang huu hanh (phd), ost – hue university hanh-at-hueuni.edu.vn

20
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Upload: douglas-norton

Post on 24-Dec-2015

215 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

IDENTITY MANAGEMENT

Hoang Huu Hanh (PhD), OST – Hue Universityhanh-at-hueuni.edu.vn

Page 2: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Federated Identity Managementuse of common identity management

scheme◦ across multiple enterprises & numerous

applications ◦ supporting many thousands, even millions

of users elements are:

◦ authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset

Page 3: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

http://www.federation.org.au/

Page 4: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Identity Management with attributes

Page 5: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Federated ID Management in an enterprise environment

Web service scenario

Page 6: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Communication Standards UsedExtensible Markup Language (XML)

◦ characterizes text elements in a document on appearance, function, meaning, or context

Simple Object Access Protocol (SOAP)◦ for invoking code using XML over HTTP

WS-Security◦ set of SOAP extensions for implementing message

integrity and confidentiality in Web servicesSecurity Assertion Markup Language (SAML)

◦ XML-based language for the exchange of security information between online business partners

Next we will talk about a simple and lightweight federated ID management solution, called

Page 7: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

What is OpenID?an identity systema protocolnot a service or companyMotivation of OpenID: a

lightweight authentication mechanism for online users, (e.g., bloggers, etc)

An advocate of Identity 2.0: Dick Hardt

Page 8: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Design Goalslow barrier to entry

◦works with static HTML pages◦no central server◦understandable identity (a URL)

no new namespace no public keys (key revocation, etc...)

◦no browser pluginsmost simple protocol possible

Page 9: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

What OpenID isn't...a trust system

◦need identity before you can have trust

a solution for all identity problems

perfectly secure◦DNS spoofing◦man-in-the-middle

Page 10: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

How's it work?proves “who” you are

◦ one-time assertions w/ digital signature◦ see openid.net for specs

not that you're a good person◦ spammers can/will/have setup OpenID

servers◦ better than state of email today◦ Trust/reputation providers on their way

TrustRank

freeopen libraries for most languages

Page 11: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Why URLs as identity?usabilityusers don't understand public

keysusers don't understand

namespacesusers do understand URLs

◦10+ years of billboards and TV commercials

you can click them◦tangible

Page 12: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Definitions in OpenIDRelying Party:

◦ RP. A Web application that wants proof that the end user controls an Identifier.

OpenID Provider or identity provider◦ OP. An OpenID Authentication server on which a

Relying Party relies for an assertion that the end user controls an Identifier.

Identifier: ◦ An Identifier is a "http" or "https" URL

User-Supplied Identifier: An Identifier that was presented by the end user to the

Relying Party, or selected by the user at the OpenID Provider.

Page 13: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

OpenID Protocol Overview1.The end user initiates authentication

by presenting a User-Supplied Identifier to the Relying Party via their browser. ◦ The user enters her URL

2.The Relying Party performs discovery on it and establishes the OP Endpoint URL that the end user uses for authentication. ◦ Discovery is for the RP to find out who is

the user’s identity provider and what is the URL of the provider

Page 14: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

OpenID con’d

3. (optional) The Relying Party and the OP establish a shared secret established using Diffie-Hellman Key Exchange.

The OP uses the shared key to sign subsequent messages and the Relying Party to verify those messages

Page 15: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Diffie-Hellman key exchange with no public keysThe Relying Party specifies a modulus, p, and

a generator, g. The Relying Party chooses a random private

key xa and OpenID Provider chooses a random private key xb, both in the range [1 .. p-1].

The shared secret is thus ◦g(xa * xb) mod p = (gxa)xb mod p = (gxb)xa

mod p.

Page 16: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Recall Diffie-Hellman Algorithm in a public key setting Compute a common, shared key Based on discrete logarithm problem

◦ Given integers n and g and prime number p, compute k such that n = gk mod p

◦ Solutions known for small p◦ Solutions computationally infeasible as p grows large

Constants: prime p, integer g ≠ 0, 1, p–1◦ Known to all participants

Alice chooses private key kAlice, computes public key KAlice = gkAlice mod p◦ Bob does the same

To communicate with Bob, Alice computes Kshared = KBob

kAlice mod p To communicate with Alice, Bob computes Kshared =

KAlicekBob mod p

Page 17: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

What is the differencebetween the two Diffie-Hellman protocols?

Page 18: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

OpenID cont’d4. The Relying Party redirects the end user's browser

to the OP with an OpenID authentication request. ◦ RP asks OP: is this user belonging to here?

5. The OP establishes whether the end user is authorized to perform OpenID Authentication. ◦ User authenticates herself to OP

6. The OP redirects the end user's browser back to the Relying Party with either an assertion that the authentication is approved or failed

7. The Relying Party verifies the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association

Page 19: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Security analysisAdversary’s goal(s)Replay attacks – eavesdropping and reusing

assertions◦ Nonce

Man-in-the-middle attacks, DNS related attacks (DNS cache poisoning, etc) ◦ OP should use a SSL certificate

Denial-of-service attacks

Page 20: IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

Thank You!

Slides credits:• Danfeng Yao• William Stallings and Lawrie Brown• Brad Fitzpatrick