Post on 16-Jan-2015
description
Re-using existing PKIs for online Identity Management
Martijn OostdijkNovay22/10/09 | Session ID: 305
Classification: Intermediate
2
Agenda
Electronic Passports
A short introduction to Identity 2.0
Using the ePassport PKI for online IdM
Conclusions
How to apply what you learn here?
• I will demonstrate how third parties (you?) can piggyback “traditional” PKI infrastructure to facilitate your organization’s IdM
• You are invited to come and discuss pros and cons of the combination of PKI and user-centric IdM
• You will understand the risks involved and benefits of this combination, and be able to judge whether it is cost-effective for your organization
Educate + Learn = Apply
An Introduction to Identity 2.0
Web / Identity 2.0 means…
“Everybody knows you’re not a dog.”
An attempt to define “Identity”
• Identity is what you and others claim about you
• In real life, whether you trust a claim– Depends on context,
– Depends on “authorities” or “Identity Providers”
• parents, school, government– Depends on “Identity Providers by proxy”
• signed note, diploma, passport, driver’s license
• On the Internet there is little context
• Identity Providers needed for trust
Identity Management
Client(C)
Relying Party(RP)
Identity Provider(IdP)
Would like to use service
Facilitates this process by- checking credentials of C- controlled release of attributes about C
8
Online or offline IdP?
Online IdP
• Redirect RP to IdP
• Drawback: single point of failure
• Drawback: infrastructure cost
• Drawback: privacy?
Offline IdP
• IdP signed an identifier for client to present to RP
• No single point of failure
• Drawback: revocation
• No need to trust IdP w.r.t. privacy
• Drawback: can we trust user / user’s PC to store identifier?
What is Identity 2.0?
• Identity 2.0 is User-centric Identity
• The user is in control over what information is shared with RP
• Two standards are popular:– OpenID
– Information Card
• Hot or hype? (Like everything 2.0?)
• We’ll focus on Information Card here
Laws of Identity 2.0
By Kim Cameron of Microsoft1. User control
2. Minimal disclosure, constrained purpose
3. Justifiable parties
4. Directed identity
5. Pluralism of operators and technologies
6. Human integration
7. Consistent experience across contexts
Explained for dummies:
• People using computers should be in control of giving out information about
themselves, just as they are in the physical world.
• The minimum information needed for the purpose at hand should be
released, and only to those who need it. Details should be retained no longer
than necesary.
• It should NOT be possible to automatically link up everything we do in all
aspects of how we use the Internet. A single identifier that stitches
everything up would have many unintended consequences.
• We need choice in terms of who provides our identity information in different
contexts.
• The system must be built so we can understand how it works, make rational
decisions and protect ourselves.
• Devices through which we employ identity should offer people the same
kinds of identity controls - just as car makers offer similar controls so we can
all drive safely.
Information Card
• Open standard (sort of)
• Self-signed cards: Attributes kept at client
• Managed cards: Attributes kept at IdP
• Windows CardSpace is Microsoft’s implementation
• To prevent phishing: GUI dialog leaves context of OS
Electronic Passports
ePassport
• Issued by government, standardized by ICAO
• Contains chip with– Information about card holder
– Mechanism to verify integrity of that information
– Mechanism to verify authenticity of chip
– Mechanism to communicate confidentially
• Tested and found “secure” up to EAL4+
• Intended for verification by border official’s equipment
• (Not intended for online verification)
ePassport
Chip
Logo
MRZ
Antenna
Logical Data Structure
hashes DGs + signature issuing stateSOd
public key for Active AuthenticationDG15
[some people with really long names][DG11]
photo faceDG2
name, etc, a.o. date of birth and BSNDG1
index of DGs presentCOM
16
ePassport security mechanisms
CONTROLS:
• Basic Access Control
• Passive Authentication
• Active Authentication
• Extended Access Control
• Biometry
THREATS:
• Skimming & tracking (privacy)
• Eavesdropping (privacy)
• Altering (authenticity, integrity)
• Cloning (authenticity)
• Disclosure of biometrics (confidentiality)
• Look-a-like fraud
ePassports form a worldwide PKI!
• Passive authentication means:– Data groups signed by “document signer”
– Document signer’s certificate signed by “country signer”
• Country signer’s certificate is given to other countries so that they can verify integrity and authenticity– Sometimes on government’s web site
– In that case, third parties can read content after performing BAC
• Can ePassports be used in Identity 2.0 scheme such as Information Card?
Using the ePassport PKI for online IdM
ePassport + CardSpace
User
Card Space
Hosted at IDP
Run at clientNFC Device(hardware)
Security Token
Service
SOCKET
CLIENT
RELYING PARTY
IDENTITY PROVIDER
Web Server
Information Card protocol
1. Access2. Policy
3. Filter cards
4. Select card
5. Request token
6. Give token
7. Give token
5/6. BAC + AA + DG1 + DG15 + SOd
IdP Client
RP
User
Result
• An online IdP can verify a user’s ePassport remotely– If the ePassport supports Active Authentication,
– and Basic Access Control (and BAC keys known to the IdP),
– and the country signing certificate is known to the IdP
• If data is protected by EAC– ePassport issuing countries can limit access to selected IdPs
• The IdP can translate attributes– To protect privacy
– E.g. date-of-birth becomes “currently over 18 years of age”
– User still in control of what gets sent to RP
Conclusions
Conclusions
• Trend: Identity 2.0 (user-centric)
• Trend: governments rolling out massive worldwide PKI
• Such a PKI is very 1.0, but can be used in an Identity 2.0 scheme– Although role of IdP is somewhat different:
• A trusted online IdP is good for privacy– IdP translates “raw” attributes (such as date-of-birth) to more
privacy friendly attributes (such as “currently over 18 years of age”)
– Combining offline and online identity management offers some flexibility in terms of privacy protection
Questions?