Open Standard Security
-
Upload
mark-scrimshire -
Category
Technology
-
view
3.091 -
download
13
description
Transcript of Open Standard Security
![Page 1: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/1.jpg)
Simplify Don’t SacrificeOpen Standard Security
![Page 2: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/2.jpg)
![Page 3: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/3.jpg)
We absolutely need to solve our Single Sign On challenge
![Page 4: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/4.jpg)
But doing so doesn’t improve the user experience
![Page 5: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/5.jpg)
It is like making this shot...
![Page 6: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/6.jpg)
If you think it is confusing hereWe are not making it any easier for our users
![Page 7: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/7.jpg)
370,000,000
![Page 8: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/8.jpg)
But there is hope...There is a common thread for these major players
![Page 9: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/9.jpg)
370,000,000
![Page 10: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/10.jpg)
R-Card
![Page 11: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/11.jpg)
Portable user id and password
Offers additional layers of authentication
![Page 12: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/12.jpg)
works with Securid
![Page 13: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/13.jpg)
can be extended
Vidoop Imageshield meets two factor authentication needs
![Page 14: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/14.jpg)
works with LDAP
http://www.openid-ldap.org/releases.php
works with SAML
![Page 15: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/15.jpg)
- The Terminology
OpenID Identity
OpenID Consumer OpenID Provider
“I am my URL”
A web site eg. AOL, Yahoo etc.
OpenID is not providing Trust.OpenID lets a site know that you are the identity that registered an account.
![Page 16: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/16.jpg)
A How to
Users use a URL to identify themselves
eg. http://ekive.blogspot.com
That URL needs two lines of HTML code to support OpenID
<link href='https://api.screenname.aol.com/auth/openidServer' rel='openid.server'/><link href='http://openid.aol.com/My_ScreenName' rel='openid.delegate'/>
![Page 17: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/17.jpg)
Be an Provider
PHP & OpenLDAP
![Page 18: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/18.jpg)
Be an Provider
JavaEE & OpenDS
![Page 19: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/19.jpg)
![Page 20: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/20.jpg)
OAuth addresses a different need
OAuth is likehanding overa valet parkingkey rather thanthe master key
![Page 21: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/21.jpg)
- The Terminology
Consumer
Consumer Application Service Provider
OAuth allows consumers to connect services and share information WITHOUT giving away their userid and password
eg. Photo printer eg. Flickr photo service
![Page 22: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/22.jpg)
is a standard for website API authentication
is consistent for developers
is open source
![Page 23: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/23.jpg)
Implementing
Register a consumer application with a Service Provider
Provide information about the application
Name, creator, url etc.
Service Provider assigns a key and secret to consumers
Service Provider documents authorization URLs and methods
![Page 24: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/24.jpg)
Authorization Process
![Page 25: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/25.jpg)
Parameters
oauth_consumer_key
oauth_token
oauth_signature
oauth_signature_method
oauth_timestamp
oauth_nonce
![Page 26: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/26.jpg)
Why is good for security
Tokens aren’t passing Username and password
Time stamp and nonce verify unique requests
Encrypted parameters provide unique signature to recognize consumer applications
User or Provider have the ability to revoke access to a consumer application
Multiple signature methods are supported
HMAC-SHAI, RSA-SHAI, Plaintext over over secure channel (eg. SSL)
![Page 27: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/27.jpg)
http://www.eclipse.org/higgins/
![Page 28: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/28.jpg)
Just like a wallet
containing Identity cards
Q: What is Higgins?A: Higgins is an open source Internet identity framework designed to integrate identity, profile, and social relationship information across multiple sites, applications, and devices. Higgins is not a protocol, it is software infrastructure to support a consistent user experience that works with all popular digital identity protocols, including WS-Trust, OpenID, SAML, XDI, LDAP, and so on.
![Page 29: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/29.jpg)
Relationship Cards aka R-Cards
Managed Relationships
![Page 30: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/30.jpg)
R-Cards can define groupsManaging Broker
Broker
Member
Employer
Managing Provider
Provider
![Page 31: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/31.jpg)
Managed R-Cards for Groups
Provides an open, extensible mechanism for defining and administering group memberships across business partners
Loosely coupled, standards based security integration
An Information hub could act as the Identity Manager issuing the relevant R-Cards
A user may have more than one R-Card
![Page 32: Open Standard Security](https://reader031.fdocuments.in/reader031/viewer/2022020110/548109a3b379593f2b8b5cf4/html5/thumbnails/32.jpg)
Open Standard Security
Is rapidly being established as a reliable, open mechanism for managing security between sites
Is an extension of, and not a competitor to, existing security mechanisms
Provides additional low cost integration options that will strengthen the role of an industry information hub
Provides a viable route to improved security and an enhanced Internet experience for our users
32