Presentation is loading. Please wait.

Presentation is loading. Please wait.

Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved.

Published byMalcolm Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved."— Presentation transcript:

1 Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved.

2 Contents 1.Identity and access management 2.Centralized I&AM 3.Federated I&AM 4.User-centric I&AM 5.Building in privacy

3 Copyright © 2007 Credentica Inc. All Rights Reserved. Part I: Identity & Access Management

4 Copyright © 2007 Credentica Inc. All Rights Reserved. Identity & access management (I&AM) What is identity & access management Who is a user (identity) What can a user do (roles, claims, assertions, credentials) Management of the life-cycle of identity information (expiration, revocation) Goals of I&AM Improve access to online services (usability) Reduce costs and improve productivity Connect more and more systems Actors User (a.k.a. subject) Identity provider (a.k.a. issuer, authority) Service provider (a.k.a. relying party, verifier)

5 Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: single sign-on (SSO) User authenticates once to access various independent services in one session Alice Service A Accounts Service C Accounts Authority Accounts Service B Accounts

6 Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: data-sharing Different independent services can exchange data about a user Alice Authority Accounts Service A Accounts Service C Accounts Service B Accounts

7 Copyright © 2007 Credentica Inc. All Rights Reserved. Security & privacy requirements Avoid unwanted tracing and linking powers (user profiling) By the central party, the services, or both! (collusion) Prevent denial-of-service attacks Avoid bottlenecks, one server down  system down Prevent impersonation attacks (identity theft) By virus, hacker, insider (admin), another user Prevent user fraud Credential transfer (lending, pooling), discarding

8 Copyright © 2007 Credentica Inc. All Rights Reserved. Laws of identity (Cameron & Cavoukian) 1.User Control and Consent 2.Minimal Disclosure 3.Justifiable Parties 4.Directed Identity 5.Pluralism of Operators & Technologies 6.Human Integration 7.Consistent Experience across Contexts See http://www.identityblog.com/?page_id=354http://www.identityblog.com/?page_id=354 Similar to the Fair Information Principles

9 Copyright © 2007 Credentica Inc. All Rights Reserved. Part II: Centralized I&AM

10 Copyright © 2007 Credentica Inc. All Rights Reserved. What is centralized I&AM Identity and authorization data is stored and managed by a central authority Services query the central authority to make access decisions or learn attributes Pros: Simple to deploy and administer in a closed environment Cons: Security and privacy problems in a cross-domain, multi-jurisdiction setting Good for enterprise I&AM (for internal employees) or in a single domain (e.g. bank with its customers)

11 Copyright © 2007 Credentica Inc. All Rights Reserved. Enterprise I&AM I&AM in an enterprise to manage the identity of its employees One server (directory) holds the identity data E.g.: LDAP, Kerberos, many many more What happens when the enterprise’s boundaries get fuzzy? External employees Partners Contractors

12 Copyright © 2007 Credentica Inc. All Rights Reserved. Use-case: Microsoft Passport Authentication and data held by Microsoft’s server Good for Microsoft’s services (e.g. Hotmail) but not for 3 rd parties (e.g. eBay) Alice Passport Accounts Service B Service A

13 Copyright © 2007 Credentica Inc. All Rights Reserved. Part III: Federated I&AM

14 Copyright © 2007 Credentica Inc. All Rights Reserved. What is federated I&AM Virtual unification of identity systems Central authority facilitates (in the federation) authentication and access to the services data exchanges between the services Many standards: SAML, Liberty Alliance, WS-Federation, Shibboleth Liberty Alliance: consortium of organizations that develops interoperable I&AM specifications (many use cases) Pros Bridge between the identity silos Simplicity for services Cons Central authority sees a lot of information One secret lost  identity theft across federation

15 Copyright © 2007 Credentica Inc. All Rights Reserved. Service A Accounts Service B Accounts Service C Accounts Authority Accounts Federated identity management (SSO) Alice I’m Alice Who is this? Who are you? It’s 7298592 Welcome 7298592 Who is this? It’s Alice It’s 5209481 Welcome 5209481

16 Copyright © 2007 Credentica Inc. All Rights Reserved. Authority Accounts Service C Accounts Service B Accounts Service A Accounts Federated identity management (SSO) Alice 5209481 7298592 2856387 Impersonator Who is this? I don’t know Who is this? It’s 7298592 Welcome 7298592 It’s Alice Welcome 5209481 Alice

17 Copyright © 2007 Credentica Inc. All Rights Reserved. Internet Citizen SCNet Department Public web server PID/MBUN table SC protected contents Secure Channel epass storage Gateway Session management Log in / registration MBUN Use-case: Secure Channel

18 Copyright © 2007 Credentica Inc. All Rights Reserved. Citizen User ID: Password: Department Secure Channel MBUN Department chrisp ******** MBUN Secure Channel SSO

19 Copyright © 2007 Credentica Inc. All Rights Reserved. Citizen Secure Channel Department User ID: Password: cpaquin ******** MBUN Secure Channel SSO

20 Copyright © 2007 Credentica Inc. All Rights Reserved. Part IV: User-Centric I&AM

21 Copyright © 2007 Credentica Inc. All Rights Reserved. What is user-centric I&AM Recent umbrella term for many identity systems/technologies, aiming to respect the laws of identity build on open standards to create an identity meta-system User is in control of the identity data flow Either initiates or participates in data exchanges Alice Service B Service A Identity Provider Accounts

22 Copyright © 2007 Credentica Inc. All Rights Reserved. Windows CardSpace Microsoft’s system released with Vista Built on top of the identity meta-system Identity “claims” packaged as identity cards (InfoCards) managed by the user Managed card: issued by a trusted party Self-issued card: created by the user, to replace username/password and form fillers Actual data is stored at identity providers (claim tokens are retrieved as needed)

23 Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice Are you over 18? I’m Alice. Please assert that I’m over 18 Welcome Who is this? It’s Alice Over 18

24 Copyright © 2007 Credentica Inc. All Rights Reserved. Relying party Accounts Identity Provider Accounts Windows CardSpace (data sharing) Alice John Are you over 18? I need to assert that I’m over 18 I’m John. Please assert that I’m over 18 Over 18 Welcome It’s Alice No I’m not…

25 Copyright © 2007 Credentica Inc. All Rights Reserved. OpenID An open, decentralized, free framework for user-centric digital identity For authentication Everyone has an identifier (e.g. URL) You prove ownership of the URL To login: User types her identifier Service redirects the user to the OpenID provider OpenID provider authenticates the User Pros: Simple, free, open Step up from username/password Cons Low security: trivial phishing  identity theft across all services Community works on new version to address security vulnerabilities

26 Copyright © 2007 Credentica Inc. All Rights Reserved. OpenID protocol 1.User is presented with OpenID login form by the Consumer 2.User responds with the URL that represents their OpenID 3.Consumer canonicalizes the OpenID URL and uses the canonical version to request (GET) a document from the Identity Server. 4.Identity Server returns the HTML document named by the OpenID URL 5.Consumer inspects the HTML document header for tags with the attribute rel set to openid.server and, optionally, openid.delegate. The Consumer uses the values in these tags to construct a URL with mode checkid_setup for the Identity Server and redirects the User Agent. This checkid_setup URL encodes, among other things, a URL to return to in case of success and one to return to in the case of failure or cancellation of the request 6.The OpenID Server returns a login screen. 7.User sends (POST) a login ID and password to OpenID Server. 8.OpenID Server returns a trust form asking the User if they want to trust Consumer (identified by URL) with their Identity 9.User POSTs response to OpenID Server. 10.User is redirected to either the success URL or the failure URL returned in (5) depending on the User response 11.Consumer returns appropriate page to User depending on the action encoded in the URL in (10)

27 Copyright © 2007 Credentica Inc. All Rights Reserved. Part V: Building in Privacy

28 Copyright © 2007 Credentica Inc. All Rights Reserved. Classic technologies drawbacks Usernames/passwords Low-security Vulnerable to phishing Don’t support data sharing Kerberos Traceable and linkable (by issuer’s signature) Requires online access to the authority Don’t support cross-domain data sharing X.509 certificates Traceable and linkable (by issuer’s signature) Only supports data sharing of anticipated claims Revocation check may involve real-time connection to issuer

29 Copyright © 2007 Credentica Inc. All Rights Reserved. Privacy-enhancing technologies (PET) Set of modern cryptographic techniques that enhance/preserve/protect the level of privacy of users when interacting with service and identity providers Encompass many technologies: encryption (confidentiality), policy (P3P), anonymous access (onion routing, e.g. Tor) Of interests, “data PET”, to prove who you are in a specific context and what are your credentials, while meeting the laws of identity: 1. User Control and Consent 2. Minimal Disclosure 3. Justifiable Parties 4. Directed Identity

30 Copyright © 2007 Credentica Inc. All Rights Reserved. PET features Alice IssuerVerifier ?

31 Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Issuer Token Service Service A Accounts Token IDService Service A Name: Alice Smith DOB: 1973/08/24 Name: Alice Smith DOB: 1973/08/24 AliceS Service A Token IDService a9e28b3c74 9b87f3c4dd2(unlinked) f88e37ba221(unlinked) Service A SSO revisited Service C Accounts Service B Accounts

32 Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service A Accounts Service B Accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service B Address: 1010 Sherbrooke Postal code: H3A 2R7 Service B SSO revisited Name: Alice Smith DOB: 1973/08/24 AliceS Token IDService a9e28b3c74Service A 9b87f3c4dd2Service B f88e37ba221Service C

33 Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Name: Alice Smith DOB: 1973/08/24 AliceS Service A Accounts Service B Accounts Service C You need to be over 18 to access this service Service C Welcome Service C Data sharing revisited Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Service A Over 18

34 Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service B Accounts Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith Name: Alice Smith DOB: 1973/08/24 AliceS Service A Accounts Service B Address Postal code Service A Name DOB Data sharing revisited

35 Copyright © 2007 Credentica Inc. All Rights Reserved. Alice Service C Accounts Issuer Token Service Service B Accounts Service A Accounts Service C Welcome Service C You must be over 18 and from Quebec to access this service. Service A Name DOB Service B Address Postal code Service A Name DOB 18+ Service B Address Postal code proof Service C Service C Data sharing revisited Name: Alice Smith DOB: 1973/08/24 AliceS Address: 1010 Sherbrooke Postal code: H3A 2R7 ASmith

Download ppt "Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved."

Similar presentations

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Dating Portal showcase Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007.

Dating Portal showcase Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007.
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Notarized Federated Identity Management for Web Services Michael T. Goodrich Roberto Tamassia Danfeng Yao Brown University University of California, Irvine.

Notarized Federated Identity Management for Web Services Michael T. Goodrich Roberto Tamassia Danfeng Yao Brown University University of California, Irvine.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Identity: Setting the Larger Context, Achieving the Right Outcomes Copyright © 2006, 9112-1772 Quebec Inc. 7th Annual Privacy and Security Workshop & 15th.

Identity: Setting the Larger Context, Achieving the Right Outcomes Copyright © 2006, Quebec Inc. 7th Annual Privacy and Security Workshop & 15th.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”

Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.

Similar presentations

Ads by Google