secure authentication and attribute sharing in federated identity scenarios

Download Secure Authentication and Attribute Sharing in Federated Identity Scenarios

Post on 23-Jun-2015

229 views

Category:

Technology

4 download

Embed Size (px)

DESCRIPTION

In this presentation, I will describe an identity management system that will act as an intermediary between users and service providers, allowing users to authenticate with it while providing identity assurance mechanisms to service providers. The design of this system is aimed to make it less susceptible to the problems imposed by commonly used methods of authentication and attribute verification.

TRANSCRIPT

  • 1. Secure Authentication and AttributeSharing in Federated Identity ScenariosMoritz Platt 17 October 2014

2. AgendaIntroductionFederated Identity ManagementSecure AuthenticationIdentity AssuranceImplementationFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 2 3. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationIntroduction Bachelors Thesis at TU Berlin in the field of Business Informatics Supervised by Institut fr Telekommunikationssysteme1, FachgebietOffene Kommunikationssysteme2 Supported by BundesdruckereiResearch Questions How does a federated identity management system have to be designed tobe attractive to end users and service providers? What are the security risks resulting from the use of identity managementsystems? How can they be diminished? How can a secure identity management system be implemented techni-cally?1 Institute for Telecommunications2 Department of Open Communication SystemsFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 3 4. Federated IdentityManagement 5. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationThe Federated Identity Management LandscapeIndividual UserIdentity Bearing DocumentsIdentityIntermediarySecurityConvenienceAssuranceProofAssuranceSecurityConvenienceAssuranceService Providers Identity ProvidersFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 5 6. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationFIM Assists Users and Service Providers Federated ID Management (FIM) is not an end in itself Different parties are involved in the FIM process: Users: individual users of web services Service Providers, e.g. e-commerce or e-government web applications Identity Providers, e.g. government entities, institutional providers Main goal: Improve processes for users and service providers Increasing security for users Providing a convenient/usable interface for users Providing identity attributes of assured quality to service providers Identity attributes are stored centrally with the Identity Intermediary Users and service providers access the Identity Intermediary to accessidentity attributesFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 6 7. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationUsers Decide Which Data to Share Case-Dependent Authentication must be secure to minimize the risk of identity theft More on that later Identity attributes shared must be reliable More on that later Unauthorized sharing of a users data must be prevented More on that later A user has to have full control about how his data is used Users have to give clear consent to share data An access mandate by a user has to be Limited in time Limited in scope (e.g. limited to a defined set of attributes) Limited in audience (e.g. only for a certain service provider)Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 7 8. Secure Authentication 9. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationIdentity Crimes Are on the Rise Spectacular Cases 2012 Attack on LinkedIn leads to 6.46 M hasheduser name/password combinations being leaked [Whittaker, 2012] 2013 Attack on Adobe Systems leads to 38 M user accountsbeing leaked [Perlroth, 2013] 2014 1.2 B user name/password combinations stolen by arussian crime ring [Perlroth and Gelles, 2014] In 2012, approximately 7% of all U.S. residents age 16 or older were vic-timsof identity theft [Harrell and Langton, 2013]Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 9 10. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationIdentity Crimes Are on the Rise The U.S. Federal Trade Commission registers complaints about identitytheft concerning credit cards, checking or savings accounts, governmentdocuments, internet accounts, etc.2,500,0001,500,000 The number of cases is rising continuously[Federal Trade Commission, 2014]500,0002001 2004 2007 2010 2013Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 10 11. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationPassword Authentication Provides Low Security An overwhelming majority of online services use user name/password au-thentication Low security due to vulnerability to various forms of attacks: Non-Technical Attacks Observation while entering a password Educated guessing of a password Educated guessing of password recovery information Abuse of leaked password information Phishing Technical attacks Brute force guessing Dictionary based guessing Compromising a users system (Key logging, Traffic Logging) Compromising communication channels (Man-in-the-Middle) Obtaining passwords/password hashes by hackingFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 11 12. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationPassword Authentication Provides Low Usability but Excel-lentDeployability Additional to security problems, passwords have low usability [Bonneau et al., 2012] High memorywise effort (passwords need to be remembered) High physical effort (passwords need to be typed) Scalability for users (more passwords increase the memorywise effort) This also leads to insecure user behaviour (simplistic passwords, pass-wordreuse, etc.) Why are passwords still enduringly successful? Due to excellent deployability [Bonneau et al., 2012] High Accessibility Negligible-Cost-per-User Server-Compatible Browser-Compatible Mature Non-ProprietaryFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 12 13. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationOvercoming Passwords: Knowledge and Posession There were many attemps to supersede passwords with moresecure technology Many are based on hardware devices Many lacked industry support, open standards or vendor independence A new emerging standard is FIDO U2F Supported by an industry consortium (ARM, Google, Mas-tercard,Microsoft, VISA, etc.) Requires USB/NFC enabled hardware (e.g. YubicoYubiKey NEO) with compact design Low-level (ADPU) and high-level (Java-Script) APIs Simple challenge/response logic basedon SHA signatures for authentication Hardware is not commercially available yet Most promising approach to overcome passwordsFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 13 14. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationHardware Authentication Increases SecurityPasswords FIDO HardwareResilient-to-Physical-Observation Resilient-to-Targeted-Impersonation Resilient-to-Guessing Resilient-to-Internal-Observation Resilient-to-Leaks-from-Other-Verifiers Resilient-to-Phishing Resilient-to-Theft Requiring-Explicit-Consent [Bonneau et al., 2012] A combination of hardware authentication and passwords (secondfactor) increases securityFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 14 15. Identity Assurance 16. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationComponents of an Assured Digital IdentityAttribute Name Attribute Value LOAFirst Name Oliver HighLast Name Jones HighAddress Station Road 7 HighPost Code M6 5WG HighCity Salford HighE-Mail Address o.jones@example.org MediumWebsite www.example.org Low Digital identites consist of attributesand their values Identity attributes can be more orless reliable/trustworthy The ISO standard for Identity proof-ing[ISO/IEC WD 29003] defines four levels ofassurance (LOA): Low (Little or no confidence inthe claimed or asserted identity) Medium (Some confidence in the claimed or asserted identity) High (High confidence in the claimed or asserted identity) Very High (Very high confidence in the claimed or asserted identity)Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 16 17. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationIdentity Providers Certify User Data The responsibility of an Identity Provider is to assess the level of assur-ancerealistically and provide this assessment to the Identity Intermediary The obtained data is then stored and disributed by the IdentityIntermediary The Identity Intermediary is agnostic to the way verification is done by anidentity provider There are many ways to obtain high confidence attributes: Direct transmission of government information (e.g. residential registerdata) Public card readers for electronic ID documents (e.g. provided by mu-nicipaladministration) Review of ID documents (e.g. verification of driving licence) by quali-fiedstaff Re-use of attributes in an existing business relationship (e.g. paymentdata)Final Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 17 18. Implementation 19. Introduction > Federated ID Management > Secure Authentication > ID Assurance > ImplementationRecap The Federated Identity Management LandscapeIndividual UserIdentityIntermediaryREST APIOAuth 2.0 UIREST APIService Providers Identity ProvidersFinal Presentation on Secure Authentication and Attribute Sharing in Federated Identity Scenarios 19 20. Introduction > Federat

Recommended

View more >