Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Published byDouglas Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn."— Presentation transcript:

1 IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn

2 Federated Identity Management use of common identity management scheme ◦ across multiple enterprises & numerous applications ◦ supporting many thousands, even millions of users elements are: ◦ authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset

3 http://www.federation.org.au/

4 Identity Management with attributes

5 Federated ID Management in an enterprise environment  Web service scenario

6 Communication Standards Used Extensible Markup Language (XML) ◦ characterizes text elements in a document on appearance, function, meaning, or context Simple Object Access Protocol (SOAP) ◦ for invoking code using XML over HTTP WS-Security ◦ set of SOAP extensions for implementing message integrity and confidentiality in Web services Security Assertion Markup Language (SAML) ◦ XML-based language for the exchange of security information between online business partners  Next we will talk about a simple and lightweight federated ID management solution, called

7 What is OpenID? an identity system a protocol not a service or company Motivation of OpenID: a lightweight authentication mechanism for online users, (e.g., bloggers, etc) An advocate of Identity 2.0: Dick Hardt

8 Design Goals low barrier to entry ◦ works with static HTML pages ◦ no central server ◦ understandable identity (a URL)  no new namespace  no public keys (key revocation, etc...) ◦ no browser plugins most simple protocol possible

9 What OpenID isn't... a trust system ◦ need identity before you can have trust a solution for all identity problems perfectly secure ◦ DNS spoofing ◦ man-in-the-middle

10 How's it work? proves “who” you are ◦ one-time assertions w/ digital signature ◦ see openid.net for specs not that you're a good person ◦ spammers can/will/have setup OpenID servers ◦ better than state of email today ◦ Trust/reputation providers on their way  TrustRank free open libraries for most languages

11 Why URLs as identity? usability users don't understand public keys users don't understand namespaces users do understand URLs ◦ 10+ years of billboards and TV commercials you can click them ◦ tangible

12 Definitions in OpenID Relying Party: ◦ RP. A Web application that wants proof that the end user controls an Identifier. OpenID Provider or identity provider ◦ OP. An OpenID Authentication server on which a Relying Party relies for an assertion that the end user controls an Identifier. Identifier: ◦ An Identifier is a "http" or "https" URL User-Supplied Identifier:  An Identifier that was presented by the end user to the Relying Party, or selected by the user at the OpenID Provider.

13 OpenID Protocol Overview 1. The end user initiates authentication by presenting a User-Supplied Identifier to the Relying Party via their browser. ◦ The user enters her URL 2. The Relying Party performs discovery on it and establishes the OP Endpoint URL that the end user uses for authentication. ◦ Discovery is for the RP to find out who is the user’s identity provider and what is the URL of the provider

14 OpenID con’d 3. (optional) The Relying Party and the OP establish a shared secret established using Diffie-Hellman Key Exchange. The OP uses the shared key to sign subsequent messages and the Relying Party to verify those messages

15 Diffie-Hellman key exchange with no public keys The Relying Party specifies a modulus, p, and a generator, g. The Relying Party chooses a random private key xa and OpenID Provider chooses a random private key xb, both in the range [1.. p-1]. The shared secret is thus ◦ g (xa * xb) mod p = (g xa ) xb mod p = (g xb ) xa mod p.

16 Recall Diffie-Hellman Algorithm in a public key setting Compute a common, shared key Based on discrete logarithm problem ◦ Given integers n and g and prime number p, compute k such that n = g k mod p ◦ Solutions known for small p ◦ Solutions computationally infeasible as p grows large Constants: prime p, integer g ≠ 0, 1, p–1 ◦ Known to all participants Alice chooses private key k Alice, computes public key K Alice = g kAlice mod p ◦ Bob does the same To communicate with Bob, Alice computes K shared = K Bob kAlice mod p To communicate with Alice, Bob computes K shared = K Alice kBob mod p

17 What is the difference between the two Diffie-Hellman protocols?

18 OpenID cont’d 4. The Relying Party redirects the end user's browser to the OP with an OpenID authentication request. ◦ RP asks OP: is this user belonging to here? 5. The OP establishes whether the end user is authorized to perform OpenID Authentication. ◦ User authenticates herself to OP 6. The OP redirects the end user's browser back to the Relying Party with either an assertion that the authentication is approved or failed 7. The Relying Party verifies the information received from the OP including checking the Return URL, verifying the discovered information, checking the nonce, and verifying the signature by using either the shared key established during the association

19 Security analysis Adversary’s goal(s) Replay attacks – eavesdropping and reusing assertions ◦ Nonce Man-in-the-middle attacks, DNS related attacks (DNS cache poisoning, etc) ◦ OP should use a SSL certificate Denial-of-service attacks

20 Thank You! Slides credits: Danfeng Yao William Stallings and Lawrie Brown Brad Fitzpatrick

Download ppt "IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn."

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Brad Fitzpatrick Six Apart, Ltd. / LiveJournal / Danga August 2005.

Brad Fitzpatrick Six Apart, Ltd. / LiveJournal / Danga August 2005.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
By: Ansuya Chauhan.

By: Ansuya Chauhan.
And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.

And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Similar presentations

Ads by Google