Presentation on theme: "User-centric Handling of Identity Agent Compromise Daisuke Mashima Dr. Mustaque Ahamad Swagath Kannan College of Computing Georgia Institute of Technology."— Presentation transcript:
User-centric Handling of Identity Agent Compromise Daisuke Mashima Dr. Mustaque Ahamad Swagath Kannan College of Computing Georgia Institute of Technology Atlanta, GA, USA ESORICS 2009, Saint Malo, France, 2009
2 Increasing Risk of Identity Theft Variety of online identity credentials –Passwords, certificates, SSN, credit card number, etc. –Loss and theft are possible Consequence of online identity theft –Impersonation –Breach of sensitive information –Financial loss –and more …
3 User-centric Identity Management Recent trend in identity management systems Advantage –User can choose appropriate credentials flexibly Disadvantage –Users are expected to be more responsible for their online identity usage Users need to have more robust control over and awareness of identity credential usage.
4 Outline Limitations in existing implementations Our approach Prototype implementation in GUIDE-ME Evaluation Conclusion / Future Work
5 GUIDE-ME Georgia tech User-centric IDEntity Management Environment Local and remote Identity Agents (IdAs) User / Local IdA Remote IdA Relying Party  Negotiation  Authorization Token  Identity Credential  Authorization Token + Ownership Proof
6 Limitation of Current Systems Loss, theft, or compromise of user devices / authentication credentials is possible. No effective mechanism to support user ’ s awareness of credential usage. Revocation of compromised devices takes time.
7 Assumptions Relying parties (RPs) require a requesting agent to demonstrate the knowledge of user ’ s private key for ownership verification. –Ownership proof and identity credential work together to prove identity. (Joint Authority) –Proof Key in CardSpace, U-Prove, GUIDE-ME, … RPs follow specified protocol. –Robust verification minimizes their future risks.
8 Online monitoring agent –Enhance user ’ s awareness –Accessible to users Threshold Signatures –Eliminate single point of attack/failure –Achieve immediate revocation of compromised identity agents –Enable users to control the monitoring feature Our Approach … Private KeyKey Shares
9 Monitoring Agent Storage Token - Run on TTP chosen by a user - Log identity credential usage - Send usage report periodically - (Detect & block suspicious usage) High-level Idea in Simplified Setting Local IdA stores user ’ s identity credential. Storage token and online monitoring agent are newly added. 2-3 threshold signature scheme is employed. User Local IdA
10 Scenario with Storage Token User / Local IdA Monitoring Agent Relying Party Negotiation
11 Scenario without Storage Token User / Local IdA Monitoring Agent Relying Party Negotiation Report usage log periodically
12 Prototype Implementation User + Local IdA (Java app) Remote IdA (Java Web Server) Relying Party (Java Web server)  Negotiation (Text file)  Authorization Token  Identity Credential  Authorization Token + Monitoring Agent (Java Servlet) Storage Token (USB Drive) Email (SMS)
13 Response Time ArchitectureResponse TimeOverhead Original1.253- W/O Token2.0470.794 W/ Token1.7990.547 Table1: Comparison of Response Time [seconds] Remote IdA, RP, and monitoring agent –Run on separate machines in our campus NW Local IdA (User Device) –Connected via a cable TV Internet service Shorter than “ 4-second threshold ” by Akamai
14 User-Centricity Properties of user-centricity presented by Bhargav-Spantzel et al. Revocability –By updating key shares, compromised agents are disabled immediately. Audit / Notification –Online monitoring agent under user’s control can log and report identity credential usage. Usability –Monitoring agent mitigates the impact on usability.
15 Summary of Security Analysis None of local IdA, remote IdA, monitoring agent, and storage token is a single point of attack. Monitoring agent is still effective even when both local and remote IdAs are compromised. Eavesdropping of messages to monitoring agent does not leak sensitive information. Storage Token does not require fancy security features.
16 Security, Privacy and Usability Trade-offs Security Never (rarely) use Storage Token Proactive Update Use Storage Token whenever necessary Privacy Usability Do not carry or care about Storage Token
17 Recovery and Availability Recovery can be done by creating a new instance by re-generating key shares –No CA or IdP needs to be involved Missing storage token –Monitoring agent works in place of it Disabled Monitoring agent –Users can use services by using storage token Disabled local IdA –Key shares available from a remote IdA, monitoring agent, storage token are enough.
18 Conclusion Proposed a mechanism to enhance user ’ s control and awareness in user-centric identity management systems –User-centric identity-usage monitoring –Fast revocation of compromised identity agents –Flexible use of hardware storage token to balance usability, security, and privacy Presented an actual proof of concept –Response time measurements –Security and user-centricity analysis
19 Future Work Enhancement of monitoring agent ’ s functionality –Real-time anomaly detection mechanism Integration into other architecture –Windows CardSpace etc. User studies to evaluate usability
20 Thank you very much. Questions? ご拝聴ありがとうございました。 firstname.lastname@example.org http://www.cc.gatech.edu/~mashima Merci.