Avoco SecureThe I-Card Cloud Selector

CloudCard

An introduction to Avoco’s fully Cloud based I-Card Selector, CloudCard

A demonstration of the logon process using the Cloud selector and a shared secret

A demonstration of the extended use of Information Cards:◦ Digital signing in the Cloud using Information

Cards◦ Access control of documents using Information

Cards

What you will see today

A fully Cloud based Information Card selector A leap forward in Information Card usability Bypasses the world of Windows desktops Designed to have similar functionality to

Windows CardSpace, e.g.◦ Personal cards can be created◦ Cards can be imported◦ Cards can be backed up◦ Works with standard and auditing cards – not yet

tested with others e.g. Relationship and Signalling cards

◦ Like CardSpace, token encryption is left to IdP for auditing cards

CloudCard: What is it?

Usability benefits include:◦ Universal access to your Information Cards◦ True zero footprint for end users – no plug-ins,

ActiveX, downloads, etc.◦ Access from normal desktops/laptops as well as

phones/mobile devices

◦ Test Implementation Site: https://www.secure2cardspace.com - currently password username only into CloudCard portal but can be almost anything

Why Bother?

Extensibility: Modular design permits simple use of alternative login protocols, etc.

Portability: Written in PHP ∴ easy to port to other languages such as Java (if needed)

Security: Incorporates anti-phishing technology through shared-secret log in control

Security: SSL - MITM attacks less feasible Standards: HTML spec to be submitted as

standard

Nitty Gritty

CloudCard called as a post from RP web page:

<a href="https://www.secure2cardspace.com/CloudCardA/CardView.php?ampIssuer=www.secure2cardspace.com&amp;RequiredClaims=http....

Link specifies entry point to selector, required card issuer, claims, etc., like calling a desktop selector.

Additionally certificate of RP is included.

RP Use of CloudCard

Used to provide anti-phishing of the I-Card web service account

User chooses a photo before logging into their account

If correct photo displayed, user can log in knowing the site is genuine

A photo always presented to prevent guessing username

More on using photos as a shared secret

Sir Henry No-Tail

What’s to stop Phisher from Relaying?

1. Generate phishing page

2. Username submitted

CS Backend

5. Correct image set in fake password entry page

Phishing server (PS)

3. PS submits username to CS backend

4. PS gets image from response

Session key with real site

1. Create page and setup session key

2. Username submittedwith session key data

CS Backend

3. Valid Session key: Image returned

Session key with Phishing Site1. Generate phishing page

2. Username submitted

CS Backend

5. Cannot set correct image

Phishing server (PS)

3. PS submits username to CS backend (invalid session key)

4. No response

No protection against desktop Trojan / virus (but then entire system is potentially compromised including desktop selector)

Weaknesses

Use your preferred login scheme e.g. OpenID.

If you don’t like this...

Face recognition and recognition of familiar objects is part of an acquired evolutionary trait that helps us survive

We are good at it We place trust in our ability to use face

recognition and object recognition We use processes of cheat recognition all the

time, everyday, to interact with others An identity system must mesh real world me with

digital me We must use existing human traits when

designing the system

Human Beings, Digital Identity and Pictures of Familiar Things

If you’re interested in the research into cheat recognition and similar:

Cartwright, J 2000. Evolution & Human Behaviour. Palgrave

Daly, M & Wilson, MI 1999. Human evolutionary psychology and animal behaviour

Cosmides, L and Tooby, University of California at Santa Barbarahttp://www.psych.ucsb.edu/research/cep/primer.html

http://www.psych.ucsb.edu/research/cep/papers/TOMbroadnarrow.pdf

Further Reading

The Avoco Cloud Selector is modular, so◦ Can choose to use a myriad of authentication

techniques – this presentation shows one Important not to forget the big picture:

◦ Usability – for a consumer as well as business audience

◦ Represents the real world me in a familiar way I am me because of these reasons (claims)…

◦ Can be used not just for logging into web sites Identity is more than just access control

Authentication, Authentication or a Bigger Picture

Authentication:◦ Digital certificate◦ OpenID◦ LiveID

Card authentication specified by RP◦ e.g. only a card backed by X509 can be selected

Seamless upload of cards from IdP to Selector – transparent management for users

Current Developments

A system for issuing OpenID’s with an Information Card

Links the two ID system – best of both worlds

OpenID attributes can be set as a Information Card Claim

Information card can be authenticated by that OpenID

OpenID linked to the extended claims system of the Information Card

Best of each to create a symbiotic ID system

Futures: Information cards and OpenID: SymbioticID (SymID)

Requires additional HTML / JavaScript◦ Recommended for web pages to allow user

to select a Cloud Selector and Desktop Selector where appropriate / available.

How are multiple Selectors to be addressed?◦ Preconfigured to a single Selector◦ Preconfigured dropdown list◦ Dynamic list populated from discovery

service.

Cloud Selectors: Adoption:

Extending the Uses of Information Cards

Digital Signing in the Cloud

Digital certificates are user-unfriendly and unpopular

People don’t like to install software, including browser plug-ins

Current solutions for signing on-line forms are open to denial of signing caused by only including form text in signature

Therefore, to encourage digital signing, these issues must be addressed

Why aren’t we all digitally signing?

Avoco Secure have developed first truly Cloud based digital signing

Can be used on:◦ On any operating system◦ Using any browser ◦ From desktops, laptops, mobile devices, phones

and so on Signing does not require user to have X509,

but standard PKCS#7 signature produced. Nothing to install – fully Cloud based. Non-repudiation addressed.

Signing in the Cloud

Always a problem to identify the signer Avoco – generate repeatable RSA key pair

from ID info e.g.◦ Information Card claims◦ OpenID attributes◦ ATM Card numbers◦ Passwords◦ etc., etc.◦ Exact data specified by host

Key pair -> transient X509 used to sign with Cert and key pair destroyed after signing

Digital Signing and Identity

Image of the completed form incorporated into the digital signature

Non-Repudiation of Signature

Incorporates timestamp (RFC3161) Emails signature to user Signature verifiable by common tools as

well as Avoco on-line verifier

Other

Demo of CloudCard with Cloud Signing Demo

Extending the Uses of Information Card

Controlling Access and Applying Usage Policies to Documents and Emails

Controlling access to documents, emails using Identity Information from Information Cards◦ secure2trust◦ secure2email◦ secure2access

Claims used to:◦ Control document and email access◦ Apply usage policies, post access

Done in a content centric manner Security is persistent across perimeters

And there’s more…

Demo of document access control and policy application

Thanks for your timeSusan Morrow

Head of Product DevelopmentAvoco Secure

susan.morrow@avocosecure.com