Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013

Published bySherilyn Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013"— Presentation transcript:

1 1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013 ravi.sandhu@utsa.edu www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact! CS 6393 Lecture 5

2 © Ravi Sandhu 2 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle

3 © Ravi Sandhu 3 World-Leading Research with Real-World Impact! The Web Today Client RP1 RP2 RP3 Relying Parties (Service Providers) User ID, Password + maybe: Personalized image Cookie Knowledge based authentication One-time password Encrypted channel Weak RP to client authentication Susceptible to RP spoofing and man-in-the-middle Private Key Public Key Private Key Public Key Private Key Public Key Signature: done by Private Key, Verified by Public Key Encryption: done by Public Key, Decrypted by Private Key

4 © Ravi Sandhu 4 World-Leading Research with Real-World Impact! The Web Today VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER VALIDITY SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE How to get a public key? Digital Certificates Guarantees authentication and integrity But how does one verify this signature Need another Public Key PKI: Public Key Infrastructure

5 © Ravi Sandhu 5 World-Leading Research with Real-World Impact! The Web Today X Q A R ST CEGIKMO abcdefghijklmnop Multi-rooted Certificate Hierarchy Root certificates are weakly protected in today’s browsers

6 © Ravi Sandhu 6 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Eliminates man-in-the-middle in the network. Remains vulnerable to man-in-the- browser and man-in-the-PC Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key

7 © Ravi Sandhu 7 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root User ID, Password ClientRPRP RP’s Private Key Public Key Man-in- the- middle MITM MITM’s Private Key Public Key RP’s Root MITM’s Root Client’s Private Key Public Key

8 © Ravi Sandhu 8 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards) Client RP1 RP2 RP3 Relying Parties (Service Providers) Private Key Public Key Private Key Public Key Private Key Public Key Private Key Public Key Store and use in well protected server hardware security module (HSM) Store as password protected and use in insecure PC Store and use in smartcard Store and use in Trusted Platform Module (TPM)

9  One authenticator for each client  Protected by one or more additional factors  Usable by every RP who trusts the client’s root  Built-in out-of-the box Single Sign-On (SSO)  Massive expense by US DoD on Common Access Card © Ravi Sandhu 9 World-Leading Research with Real-World Impact! The PKI Vision (1980s Onwards)

10 © Ravi Sandhu 10 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos also TGS Client c {T c,tgs, K c,tgs } K c 1 2 Symmetric Key Technology Client password -> client symmetric key Kc Stored client symmetric key Kc

11 © Ravi Sandhu 11 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Symmetric Key Technology TGS ClientServer {T c,s, K c,s } K c,tgs T c,tgs, A c,tgs, s 3 4 5 T c,s, A c,s

12 © Ravi Sandhu 12 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward) Kerberos Realm 1 Kerberos Realm 2 shared symmetric key public-private keys clientserver

13  Successful in Enterprise SSO  Scales to 10’s or 100’s of thousands of users  Microsoft Active Directory login is based on Kerberos  Inter-realm rarely deployed © Ravi Sandhu 13 World-Leading Research with Real-World Impact! Kerberos SSO (1980’s onward)

14 © Ravi Sandhu 14 World-Leading Research with Real-World Impact! Microsoft SSO (1990’s) Failed

15 © Ravi Sandhu 15 World-Leading Research with Real-World Impact! Microsoft Infocard Identity Ecosystem (2000’s) Failed

16 © Ravi Sandhu 16 World-Leading Research with Real-World Impact! Liberty Alliance (2000’s) Failed

17 © Ravi Sandhu 17 World-Leading Research with Real-World Impact! OpenID (2000’s) Failing

18 © Ravi Sandhu 18 World-Leading Research with Real-World Impact! NSTIC (2010’s)

Download ppt "1 Federated Identity and Single-Sign On Prof. Ravi Sandhu Executive Director and Endowed Chair February 15, 2013"

Similar presentations

The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.

The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.

PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, 2013 © Ravi Sandhu World-Leading Research.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, 2013 © Ravi.

1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.

1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google