1 / 35

INTERNET 2009

INTERNET 2009. CardSpace-Liberty Integration for CardSpace Users IDtrust 2010 13/4/2010. H.Al-Sinani@rhul.ac.uk. Haitham Al-Sinani Information Security Group Royal Holloway, University of London. http://isg.rhul.ac.uk/.

ghada
Download Presentation

INTERNET 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNET 2009 CardSpace-Liberty Integration for CardSpace Users IDtrust 2010 13/4/2010 H.Al-Sinani@rhul.ac.uk Haitham Al-Sinani Information Security Group Royal Holloway, University of London http://isg.rhul.ac.uk/

  2. Acknowledgments

  3. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  4. User Identities Multiple identities for multiple accounts

  5. Multiple Identities - Hard to manage multiple identities (hence poor security practises) - May result in identity theft

  6. Identity difficulties Development of identity management systems (IdMSs) Liberty Alliance OpenID CardSpace Non-interoperable

  7. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  8. CardSpace Ships by default with Windows Vista and 7 Supports user authentication and exchange of attributes Personal Cards Managed Cards Issued by Issued by Remote IdP Local SIP Digital ID Card Website(s)

  9. Acronyms: RP: Relying Party, e.g. website. SIP: Self-issued Identity Provider. CIdS: CardSpace Identity Selector. RST: Request Security Token RSTR: Request Security Token Response CardSpace – SIP Mode RP 2. “Can I have a SAML token, containing First Name, E-mail, PPID, issued by SIP, please?” RP Policy 3. CIdS highlights InfoCards that satisfy the RP policy • Request protected resource 7. Token is presented 4. User picks a card 6. Token is created (RSTR) 5. Token is requested (RST) SIP

  10. Acronyms: UA: User Agent, e.g. web browser (IE8). RP: Relying Party, e.g. website. CIdS: CardSpace Identity Selector. SIP: Self Issued Identity Provider. CardSpace – SIP Mode[more details] • UA → RP: HTTP/S Request, GET (Login Page). • RP → UA: HTTP/S Response, Login Page + RP Policy. • User → UA: CardSpace option clicked, and CIdS invoked. • UA ↔ CIdS: RP policy passed, matching InfoCards highlighted, the rest greyed out. • User ↔ CIdS: Picks/sends an InfoCard. • CIdS ↔ SIP: Exchange of RST & RSTR. • CIdS → UA → RP: RSTR. • User ↔ RP: Grants/denies access. GET /index.html HTTP/1.1 Host:www.myopenid.com/signin_password RST CIdS SIP RSTR

  11. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  12. Liberty Alliance Project Consortium of (150+) companies interested in SSO & IdM As of 2006, more than one billion Liberty-enabled identities & devices Builds open standard-based specifications for an ‘open’ XML-based SSO system

  13. Liberty Profiles ‘The combination of message content specification and message transport mechanisms for a single client type is termed a Liberty profile [1]’ [1] S. Cantor, J. Kemp, and D. Champagne (editors). Liberty ID-FF Bindings and Profiles Specification. Liberty Alliance Project, 2004. Liberty Artifact Liberty-Enabled Client (LEC) Liberty Browser Post

  14. Liberty Browser Post User Agent Service Provider Identity Provider 7 6 4 3 9 1 HTML form (post) to SP containing <AuthResponse> POST <AuthResponse> Get <IdP SSO service>?<AuthRequest> Grant/deny access Request protected resource Redirect to IdP + AuthRequest 2 5 8 Process assertion Obtain IdP Process AuthRequest

  15. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  16. Interoperability --- Motivation Liberty Shibboleth Identity systems are proliferating ... OpenID CardSpace Each system offers somewhat distinct user experience Different experiences may lead to user confusion, which in turn, could lead to phishing, pharming, etc Interoperation could lead to consistent user experience Hence, better security ...

  17. CardSpace Liberty

  18. Why CardSpace-Liberty? (1/3)

  19. Why CardSpace-Liberty? (2/3) Wide adoption Slow adoption As of 2006, more than one billion Liberty-enabled identities & devices Interoperation could extend the applicability of CardSpace Hence, adoption is likely to increase

  20. Why CardSpace-Liberty? (3/3) Wide adoption Ships by default in Windows Vista/7 As of 2006, more than one billion Liberty-enabled identities & devices World-wide use of Windows Practically useful for large numbers of identity management users and SPs

  21. Interoperation Support --- Where? CardSpace personal cards are used to make Liberty IdPs available via the CardSpace identity selector May not be prepared to accept associated burden May not be prepared to accept associated burden • Practically useful • Server performance not affected • Net load reduction

  22. Integration scheme - Preconditions

  23. Integration scheme - LibertyCards The user must create a LibertyCard, which contains (at least): Address of the Liberty IdP Trigger sequence, e.g “Liberty”

  24. Integration Scheme - How? The integration scheme is built on: Browser extension CardSpace Identity Selector Responsible for intercepting, inspecting and modifying web pages Responsible for storage of Liberty IdPs’ addresses via personal cards, i.e. LibertyCards Responsible for automatically forwarding security tokens Different LibertyCards represent different Liberty IdPs Responsible for etc.

  25. Integration Protocol [Detailed View]

  26. RP (CardSpace-enabled) IdP (Liberty-enabled) User agent Id selector Plug-in Request protected Resource 1 6 HTTP auth response (RP policy embedded in objet tag) Plug-in: Catch SAML response, modify to Liberty SAML request & 2 User selects a LibertyCard 5 Highlight Plug-in: pre-process &prepare to intercept SAML token 3 User invokes CardSpace 4 9 8 forward SAML request SAML request (RST) 7 SAML response (auth token) 10 SAML response (RSTR) Plug-in: Display token, obtain user consent & SIP 11 forward the token 12 Grant/Deny access 13

  27. Acronyms: RP: Relying Party, e.g. website. IdP: Identity Provider , e.g. Website. CIdS: CardSpace Identity Selector. Integration Scheme [summary] CardSpace RP 2. “Can I have a SAML token, containing PPID, issued by *any*, please?” 3. Process RP Policy 4. CIdS highlights InfoCards that satisfy the RP policy • Request protected resource 9. Token is presented 5. User picks a card 7. AuthToken is created 6. Generate Liberty AuthReq 8. Approve Token? Liberty IdP

  28. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  29. Integration Scheme - Analyses (1/2)

  30. Integration Scheme - Analyses (2/2)

  31. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  32. Concluding Remarks

  33. Agenda • Introduction • CardSpace • Liberty • Integration Scheme • Analyses • Concluding remarks • Q/A Information Security Group

  34. Thank you! Any Questions? Information Security Group

  35. INTERNET 2009 CardSpace-Liberty Integration for CardSpace Users IDtrust 2010 13/4/2010 H.Al-Sinani@rhul.ac.uk Haitham Al-Sinani Information Security Group Royal Holloway, University of London http://isg.rhul.ac.uk/

More Related