Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Functional component terminology - thoughts C. Tilton.

Secure Communication Architectures.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Access Control Methodologies

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Authentication & Kerberos

Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Distributed Network and System Management Based on Intelligent and Mobile Agents Jianguo Ding 25/03/2002 DVT-DatenVerarbeitungsTechnik FernUniversität.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

Understanding Active Directory

Applying the ISO RM-ODP Standard in e-Government B. Meneklis 1, A. Kaliontzoglou 2,3, D. Polemi 1, C. Douligeris 1 1 University of Piraeus, Department.

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Identity and Access Management

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

The privacy risks and rewards of distributed identity Conference Presentation (8 September 2003) Surveillance and Privacy 2003, University of New South.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Providing web services to mobile users: The architecture design of an m-service portal Minder Chen - Dongsong Zhang - Lina Zhou Presented by: Juan M. Cubillos.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Chapter 17: Information Management in Treasury Outline: Basics of E-Commerce EDI Infrastructure Treasury Management Systems (TMSes) Other Issues in Treasury.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

ISSAP Session 1 29 August 2011.

Identity and Access Management

Presented by Edith Ngai MPhil Term 3 Presentation

Secure Connected Infrastructure

A National e-Authentication Service

Using Your Own Authentication System with ArcGIS Online

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

CompTIA Security+ Study Guide (SY0-401)

State of e-Authentication in Higher Education Bernie Gleason

Enterprise Service Bus (ESB) (Chapter 9)

Office 365 Identity Management

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

HIMSS National Conference New Orleans Convention Center

What are IAM Key Processes.

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Richard Cissée Overview Main building blocks of Identity Management Systems: AAA components Authentication: Validating the identity of users Authorization: Granting access rights to users for specific services Accounting: Monitoring resource usage User Management components Management of identities and personal information (Single Sign-On Mechanisms)

Richard Cissée Introduction: Multi-Agent System Technology Software agents are characterized by Autonomy/ Proactiveness: An agent acts (on behalf of a user, as a part of a multi-agent system etc.) by trying to reach given goals Ability to communicate with other agents, e.g. by offering and using services Mobility: Agents may migrate between different host platforms, depending on their current tasks Intelligence: An agent encapsulates knowledge, such as personal information Multi-Agent System Technology especially suitable for distributed, heterogeneous, dynamic systems

Richard Cissée AAA: Authentication Authentication methods as means to establish identity via something the user is: biometrics something the user knows: passwords/ PINs (*) something the user has: hardware tokens (e.g. smart cards) / software tokens (digital certificates) (*) or combinations thereof. In the last case, Authentication is possible without identification Some methods (*) are usable by agents, others by human users only

Richard Cissée Authentication in Agent- Based IM Systems Each user is represented by a user agent Authentication as a two-step procedure: Human user – user agent via conventional methods (optional) User agent – target application/ service (mainly via certificates) Potential risks of malicious agents compromising the security of the system have to be addressed

Richard Cissée AAA: Authorization Access Control Lists authorize users to access specific services large number of relationships updating information is error-prone (e.g. removing users) Role-Based Access Control mechanisms authorize user roles to access specific services Each user identity is assigned one or several roles Roles are granted privileges Separation of duties: User may not participate via more than one role in a transaction Reduced number of relationships Improved accuracy of Access Control information

Richard Cissée Authorization in Agent- Based IM Systems Role-Based Access Control suitable because of underlying role concept in multi-agent systems User Agents are assigned roles by adding components/ knowledge to the agent, or by updating the agent role assignment information Agents may negotiate role assignments In the case of trusted agents, Authorization without management of assignment information is feasible

Richard Cissée AAA: Accounting Mechanisms for monitoring the usage of specific resources, sub-services etc. Accounting information required to determine whether Authentication/ Authorization information has to be modified to update additional user information (Personalization) to support Session Management (especially in the context of mobile services) Further purposes (Billing, System configuration) outside the main focus of Identity Management

Richard Cissée Management of Identities and Personal Information Main goal: Interoperability of identity management information Synchronization of distributed information Benefit for users: Simplified sign-on to different services/ applications Emerging XML standards, e.g. Security Assertion Markup Language (SAML) for Authentication and Authorization Different approaches (centralized, federated, agent- based management of identity information)

Richard Cissée Centralized Single Sign-On (1/2)

Richard Cissée Centralized Single Sign-On (2/2) Central authentication server (Example: Passport) User signs on to authentication server and, if successful, is automatically signed on to further participating services/ applications Problems: Trust (user has to trust authentication server) Security (authentication server as single point of failure/ central point of attack) Privacy (personal information that is collected in addition to authentication information)

Richard Cissée Federated Simplified Sign- On (1/2)

Richard Cissée Federated Simplified Sign- On (2/2) (Example: Liberty Alliance Specification) User signs on to different service/ applications and may opt-in to federate the respective accounts. With each sign-on the user is seamlessly signed on to further services/ applications within a group of participants (‚Circle of Trust‘) Problems: Trust Privacy (personal information that is collected in addition to authentication information)

Richard Cissée Agent-Based Single Sign-On (1/2)

Richard Cissée Agent-Based Single Sign-On (2/2) User logs in to personal user agent User agent manages account information required for different services/ applications as well as additional personal information User agent resides on platform controlled by the user (online/ on mobile device/ special hardware) No central authentication server or exchange of information between participating services/ applications required Increased privacy, security & trust

Richard Cissée Conclusion Multi-Agent System Technology as a possible solution for different aspects of Identity Management Systems Open issues: Integration of existing and agent-based approaches Consequences of introducing agents as additional entities – with own identities?