1 / 56

Identity

Identity. presented by Patrick Burke and Christian Loza. Introduction. The Internet has changed the way we do business forever. In the cyberspace , our Identity has changed too, and a Digital Identity has emerged.

amadis
Download Presentation

Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity presented by Patrick Burke and Christian Loza

  2. Introduction • The Internet has changed the way we do business forever. • In the cyberspace, our Identity has changed too, and a Digital Identity has emerged. • Identity can be defined as a set of characteristics that uniquely identifies us (or a digital entity)[1].

  3. Introduction • CONCEPTS • Identity: Set of characteristics that identifies a given entity. • Identification: Recognizing someone as a specific individual. • Authentication: Process to make sure the Identification is valid. • Authorization: Set of resources given to a certain entity, based on the identity.

  4. In the physical world, users can be identified by physical characteristics, such as hair color, height, skin color, etc. In the Internet, users are identified by set’s of information, such as SSN, Name, Credit Card number, Address, Phone number, etc. Introduction

  5. Introduction • Most of the services has gone to the Internet • Electronic Commerce • Electronic Government • Electronic Learning • Electronic Marketing • Electronic Publishing

  6. Introduction • To interact in the Internet with this service providers, the people use their Digital Identity.

  7. Introduction • One of the drawbacks from human centric electronic interactions is the fuziness of the image of the other partner over the network ?

  8. Introduction • Ensuring security and privacy in a distributed communication system as the Internet is crucial. • Crimes related to Identity theft have become a major treat to the growth of the commerce over the Internet.

  9. Introduction • Identity-related misuse and concerns[2] • Identity theft: Someone wrongfully obtains and uses other person’s personal data in some way that involves fraud or deception[3]. • Malicious change of Information: Someone changes wrongfully personal information of somebody else or to himself to do harm or self benefit. • Secondary use: Somebody impersonates someone else for personal benefit. • And the list keeps growing

  10. Federated IdentitySome facts • Below are some institutions and people believed to be victim’s of Identity theft. • Bill Gates • CIA, NASA, Justice Department • Wells Fargo • Bank of America • Ebay • UNT?

  11. Problem Definition • The Identity has bring more complexity to the business model • Any person may be using now multiple identities to access multiple services providers on the Internet • Multiples identities mean also redundant costs and increasing problems

  12. Problem Definition • One of the technologies that has emerged to solve the increasing complexity of Identity management across multiple organization is the Federated Identity

  13. Problem Definition • Federated Identity is a digital credential analogous to a country passport[4] • Trust negotiation model: Is the gradual interchange of credentials between two entities, with the goal to establish Trust, and finally exchanging resources • Our task is to review proposals of designs of an efficient scheme of such Federation interchange

  14. Problem Definition • Different sets of information from the Identity may be needed by different organizations

  15. Name Address Phone Number PO Box SSN Name Address Phone Number PO Box SSN Credit Card Billing Address Name Address Phone Number PO Box SSN Credit Card Passport Number Name Address Phone Number PO Box SSN Credit Card Billing Address Passport Number Federated Identity A B C A B C

  16. Federated IdentityCredentials negotiation • Disclosure policies • Credentials combinations are required for disclosure of sensitive information • Negotiation between User and Service Providers, and among Service Providers.

  17. Federated IdentityScalability • KEY CONCEPTS for Scalability of Federated Identity • Has to work with Browser as the client side software • Centralized Approach • Identity or Capability-based credentials

  18. Federated IdentityScalability

  19. Federated IdentityPrivilege management • Both, Federated Identity and Privilege Management are cornerstones of a Management Framework • A mechanism for Federated Identity and Privilege Management should satisfy at least eight requirements:

  20. Federated IdentityRequirements • SSO Single sign on Persistency of user identity across the enterprise domains, and allows user to transfer their authorizations across multiple points of policy enforcement • Effective access control The access control should be fine grained to dynamically evolve enterprise resources.

  21. Federated IdentityRequirements • Decentralized model The system should not rely on a centralized access point, instead, should be distributed • Authentication for estrangers In the new distributed Internet environment, there is no more the concept of advanced knowledge of identities or capabilities.

  22. Federated IdentityRequirements • Trust, Anatomy and Privacy Privacy protection is becoming an increasing concern, both from social and legal perspective. Is a compromise, since avoiding name-binding, complicates trust establishment. • Standardized Approach The solution should has the capability to be integrated with other systems, using existing accepted standards.

  23. Federated IdentityRequirements • Browser Based Nobody wants to install client side applications • Technologies issues Cookies and JavaScript are been used. Nevertheless, they have been proved to be a security problem, even though, they are better than the other options

  24. Federated IdentityIdeal Scheme 1. Request page 2. Auto redirect 7. Request page w/credentials 8. Set ticket 4. Request credentials 3. Redirect 5. Login 6. Redirect w/tickets in header

  25. Federated IdentityExamples • MSN Passport • Developed by Microsoft • Kerberos • Developed by MIT • X.509 • Network Working Group • Certificate Management Protocol • RBAC • Research Proposal

  26. Federated IdentityMSN Passport 1. Request page 2. Auto redirect 7. Request page w/credentials 8. Set cookie 4. Request credentials 3. Redirect 5. Login & passport 6. Redirect w/tokens in header

  27. Federated IdentityMSN Passport • Centralized Model • Credentials and no Tickets • Used to authenticate users of Hotmail and MSN Messenger. Other users include Zurich, GMAC • The biggest Federated Identity system is Passport, from Microsoft

  28. Federated IdentityMSN Passport • Process 3.5 billion authentications each month • Uses XML as the core • Uses SSL • The Passport requires triple DES keys with each organization. • The keys must be generated securely, and given to the merchants out of band. • Some keys were broken because the poor randomness of the keys generated

  29. Federated IdentityMSN Passport - Problems • Centralized point of attack, against the distributed nature of Internet. Vulnerable to DoS attacks • Due to the cookies architecture, a Service can impersonate MSN Passport and delete all the cookies in the clients (used to DoS attacks). • JavaScript and cookies technologies have been proved to be insecure technologies.

  30. Federated IdentityMSN Passport - Problems • Bugs have a great Impact • MSN found problems many times, bringing down all services depending on Passport • One example was a failure on the Password resetting mechanism

  31. Federated IdentityKerberos 1. Request page 2. Auto redirect 7. Request page w/credentials 8. Set ticket 4. Request credentials 3. Redirect Symmetric 5. Login 6. Redirect w/tokens in header

  32. Federated IdentityKerberos • Developed by MIT’s project Athena • Allow mutual authentication and secure communications over the network • Uses symmetric key encryption, and authentication credentials • Authentication credentials are based on identity, and are suited for access control lists. Main problem for Identity Management are centralization, and name biding.

  33. Federated IdentityKerberos - Problems • Kerberos is Identity Based, which gives problems for scalability. Key concept: avoid name-binding • Suitable for access roles. Nevertheless, symmetric keys are not suited for Federations and Distributed Identity Management

  34. Federated IdentityX.509 1. Request page 2. Auto redirect 7. Request page w/access privileges 8. Set privileges 4. Request credentials 3. Redirect 3. Redirect Asymmetric 5. Login 6. Redirect w/tokens in header

  35. Federated IdentityX.509 • X.509 is a Certificate Scheme for Authentication • Based on Public Key Infrastructure (PKI) • The Access Control Credential is called Attribute Certificate • Asymmetric authentication • Integrated approach of Authentication and Authorization

  36. Federated IdentityX.509 Problems • Integrated approach of Authentication and Authorization, which is, not good in all contexts. • This is because not all the system-specific capabilities may be know in advance. • Access control credentials is not sufficient to meet effective Access Control requirements. Key concept: Not Scalable

  37. IdentityRole-Based Access Control (RBAC) • Current Enterprise solutions employ a combination of physical security, passwords, and Role-based Access Control to ensure the identity of a user • Physical security and passwords protect the system from intrusion. • Role-based Access Control limits access to documents and data based on a “need to know” basis

  38. IdentityRole-Based Access Control (RBAC) • Access rules are established with sets of access pairs which associate users and their corresponding permissions: • (user, permissions) • While RBAC is supported by many specific application packages (Oracle and Sybase, for example), the method will be described with a brief look at XML

  39. Federated IdentityXML Public Protocols • SAML (Security Assertion Markup Protocol) • XML based • Avoid limitations of cookies • SSO Interoperability: Different implementations can be compatible • Web Services: Suited to work on browser environments • Federations: Can simplify Federation usability

  40. Federated IdentityXML-Based Doc Security • X-Sec [5] is one notional XML-Based control system with the following component: • Credential-types (ct) – defined user type definitions • Example: manager, customer, carrier • (nct, Pct) where n is the name of the credential and P is the set of property specifications for the ct. XML credential-type and corresponding graph representation [5]

  41. XML-Based Doc Security • X-Sec Components (cont) • Credential – an instantiation of a credential-type • Specifies the set of properties values characterizing a given subject against the credential-type itself • Physical credentials are certified by the credential issuer XML credential and corresponding graph representation [5]

  42. XML-Based Doc Security • X-Sec Components (cont) • Security Policy Base Template – Specifies credential-based security policies based on enterprise protection requirements • Documents to which the policy applies • Portions of documents within target documents • Access Modes • Propagation mode for the policy

  43. XML-Based Doc Security • X-Sec Components (cont) • Security Policy Base Instantiation • Example (below) • Secretaries in sales can access and modify all purchase order documents • UPS employees can access information about the customer, carrier, and order id.

  44. XML-Based Doc SecurityAssessment PRO: • Highly available in commercial products • Easy to set up • Training is readily available • Highly effective in a CLOSED and TRUSTED environment CON: • Often difficult to REMOVE users • Impractical in an open user environment • Not a long-term Internet solution • Passwords can be stolen, resulting in unauthorized access • Periodic password changes make remembering passwords difficult • Left to their own devices, people tend to choose passwords that are easy to guess

  45. Biometrics • DEFINITION • Any and all of a variety of identification techniques which are based on some physical, or behavioral characteristics of the individual contrasted with the larger population. Unique digital identifiers are created from the measurement of this characteristic. • Physiological Biometrics • Fingerprints, hand and/or finger geometry, eye (retina or iris), face, and wrist (vein) • Behavioral Biometrics • Voice, signature, typing behavior, and pointing

  46. Biometrics OVERVIEW • User digital template is created during an “enrollment period” and stored in a database • On attempted verification, the relevant template is extracted, compared with the data input • ATM card is still required to point at the correct digital template • Verification is based on statistical techniques of comparison between the two

  47. Biometrics Some devices to use Biometrics

  48. Benchmarks • The eight points can be used to measure if an Identity Management Protocol is suited for scalability and Federated use. • Browser features can be used as a metric: Use of cookies, use of JavaScript, use of XML

  49. BiometricsBenchmarks BENCHMARKS for Biometrics • Template size • Speed of enrollment • False Accept Rate • False Reject Rate

  50. BiometricsBenchmarks ASSESSMENT PRO • When it works, it works best • Generally acceptable in controlled group settings CON • Bad user perceptions • May be misused • May harm eyes • Input quality degrades with age • Unacceptable False Reject Rates • 17% - facial • 10% - finger swipe

More Related