Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.

Published byRussell Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT."— Presentation transcript:

1 1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT

2 2 Overview What is authentication trustworthiness and why is it important? Can it be quantified? Can it be categorized? How should business processes use it? Summary Next steps

3 3 What is Authentication? From a Business Viewpoint –Authentication is a fundamental part of security –Authentication automatically associates a person with his or her actions –If everyone were trustworthy, then authentication would not be necessary From a Technical Viewpoint –There is a range of techniques available

4 4 What is Authentication Trustworthiness? Authentication trustworthiness quantifies the combined confidence in: –The identification of the principal –The issuance of the credential –The secure management of the credential –The management of the principal’s standing

5 5 Trustworthiness is Important To enable federated relationships with external entities such as: –Research or academic partners –Governmental agencies –Suppliers and vendors To secure information for the use of those intended to see or change it.

6 6 How is Authentication Trustworthiness Established? Identification of the principal –What proofs are needed? –How can proofs be checked? Issuance of the credential –Is the credential delivered in-person, through the U.S. mail or otherwise? –Does distributed management increase security?

7 7 Proofs of Existence & Identity

8 8 What Factors Affect Authentication Trustworthiness Over Time? Management of the principal’s standing –How are assertions of the principal’s existence and affiliation refreshed? –What subtleties of attribute change can be detected and thereby affect business processes? Management of the credential –Is the credential inherently vulnerable? Can the credential be used without the principal’s knowledge? –Can administrative staff compromise the credential? –Is the credential automatically disabled for a principal with an unknown status?

9 9 Northwestern’s Identity Structure

10 10 Terms IdentificationEstablishing that the principal is, in fact, the exact entity being represented StandingAssertion by an authority which reflects ongoing affiliations IssuanceConveying an assigned credential to the exact principal – and only that principal ManagementContinuing assertion by authority which controls attributes MisuseIntentional use of the credential by the principal to gain access for a third party TamperingUsing administrative functions to gain control of the credential and fraudulently represent the principal SpoofingIntentional misguidance of the authentication system into believing that a valid credential has been presented and thus fraudulently represent the principal

11 11 Can Authentication Trustworthiness be Quantified? Trust authentication ( ) = Confidence identity ( ) * Confidence credential ( ) Confidence identity ( ) = (1-P misidentification ( )) * (1-P misstanding ( )) Confidence credential ( ) = (1-P misissuance ( )) * (1-P mismanagement ( )) * (1-P misuse ( )) * (1-P spoofing ( )) * (1-P recent tampering ( ))

12 12 Example: NetID (All figures are for illustration purposes only and do not reflect controlled measurements)

13 13 Improving Trustworthiness – Multi-factor Authentication The improved trustworthiness of two-factor authentication comes from multiplying the sirk probabilities for the independent credential technologies. E.g. for two factors A and B: P spoofing (A&B) = P spoofing (A) * P spoofing (B) If management processes are independent, then this multiplicative property would apply to both P misidentification ( ) and P misissuance ( ) But, P misuse (A&B) = min(P misuse (A), P misuse (B))

14 14 Example: NetID & OTP (All figures are for illustration purposes only and do not reflect controlled measurements)

15 15 Could Trustworthiness by Classified? Federal government is using “some”, “high”, and “very high” confidence levels EduCause and Internet2 are looking at classifications Local definitions could be created and recorded in the LDAP Registry

16 16 Example Trustworthiness Classifications NONE – self-created identity LOW – Third-party manual assertion NORMAL – Authoritative assertion HIGH – In-person, photo-id check VERY HIGH – HIGH plus further background checks An internal system of “notaries” could serve to raise trustworthiness to HIGH

17 17 Probability Profiles for Classifications >> 0much greater than zero >0greater than zero  0 approximately zero  0 arbitrarily close to zero 0exactly zero

18 18 Probability Profiles for Classifications >> 0much greater than zero >0greater than zero  0 approximately zero  0 arbitrarily close to zero 0exactly zero

19 19 Services Based Upon Classification

20 20 How Should Business Processes Use Trustworthiness? All security frameworks balance University business risks against user convenience and management costs Requiring high levels of trustworthiness will require added management effort and cost – requirements should be targeted Sensitivity to the recent history of the credential will affect trustworthiness and avoid fraudulent use

21 21 How Should Business Processes Use Trustworthiness? Sensitivity to authentication trustworthiness reduces business risk –Processes to provision access should consider trustworthiness Identities able to grant access must be trustworthy Identities granted access must be trustworthy –Multi-factor authentication will be necessary for some set of applications

22 22 How Should Business Processes Use Trustworthiness? Sensitivity to authentication trustworthiness can assist with compliance –The initial identification and granting of credentials may need to be bolstered to ensure compliance –It will be necessary to create means to increase the trustworthiness of an identity and credential to transition users from high- convenience to compliance

23 23 Authentication Should Not Be Authorization Authorization is a separate step taken with knowledge of identity attributes Applications must determine which operations or access are authorized for an authenticated principal –Coarse-grained authorization takes place within the network or access control systems –Fine-grained authorization takes place within the application

24 24 Authentication Should Not Be Authorization Applications may choose to examine both trustworthiness and other attributes of the principal when making authorizing decisions –Affiliation to school or department –Changes in affiliation –Manually-asserted versus authority-asserted

25 25 Practical Outcomes For any University function, there is an implied trustworthiness requirement. These should be made explicit. Higher levels of trustworthiness will require face-to-face identification, proofs, and perhaps validation of proofs. Can we make this convenient? Should we? If multi-factor authentication is desirable, how should it be funded?

26 26 Summary Trustworthiness reflects our attention to process and will be important for compliance and federation Classes of trustworthiness can be defined and form the basis for new business policies Software must be modified to consider it People must be prepared for some dislocation because of it

27 27 Community Action Steps Convene a group to address identity policies. –Define trustworthiness categories –Match business function requirements and convenience to trustworthiness –Define methods of raising trustworthiness Implement categories in IdM infrastructure Modify systems to –Require appropriate trustworthiness –Separate authorization from authentication

28 28 Questions? Q A &

Download ppt "1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT."

Similar presentations

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Identity & Access Management Project Tom Board February 2006.

Identity & Access Management Project Tom Board February 2006.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
1 TA Customizer Project—TAC Cheryl M. Lange

1 TA Customizer Project—TAC Cheryl M. Lange
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works

Security Controls – What Works
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.

1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Similar presentations

Ads by Google