190 likes | 210 Views
This approach focuses on managing roles, authentication, and authorization profiles across organizations, ensuring single sign-on across applications. It emphasizes securing identity profiles and advocates for a "good enough security" mindset to avoid catastrophic failures. By utilizing Security Appliances and a Authentication Ladder with two-factor authentication, it enhances security while maintaining ease of use and total cost of ownership. The process includes provisioning, enrollment, registration, revocation, and role management, allowing consumers to self-administer and manage personal profiles.
E N D
A Role-Based Approach to Federated Identity Ravi Sandhu* Chief Scientist NSD Security www.nsdsecurity.com *Also Professor of Information Security and Assurance George Mason University
Federated Identity • Cross organization • Maintain authentication and authorization profile and provide single-sign-on across multiple applications • Focuses on “letting the good guys in”
Role-Based Management Consumers Roles Authorization profiles are managed in terms of roles Administration is delegated in terms of identity management roles Identity Management Roles
Securing Identity Profiles • Authentication and authorization profiles are the organization’s most sensitive data • Managing these securely is an organization’s most important security objective
What is Security • Catastrophic failure is far worse than occasional failure • Good enough security • Is all we can achieve • Tolerates occasional failure • Does not tolerate catastrophic failure
Ease of Use Security Total Cost of Ownership Integrated, identity management infrastructure Security is Only One Objective
Secure Identity ApplianceTM Security Appliances • Dedicated (but COTS) hardware • Hardened OS • Managed by restricted protocols (no root access) • Highly available, scalable and secure
Secure Identity ApplianceTM Authentication Ladder Two-factor (with optional PKI) Password plus USB token or variant Roaming PKI Weak Password Systems, Catastrophic Dictionary attacks Password Usability PKI Security Zero Footprint Hardened Password No change for users No change for issuer No password file (PKI hardened)
Difference #1: Alice has short convenient password Difference #2: Alice has to interact with appliance to sign. 2-Key RSA vs. 3-Key RSA Old PKI Keys: • Alice Public = e • Alice Private = d • Alice Cert = C Signing: • a) S = Sign (M,d) Send [S, C] to Bob Bob: • Gets e from C • Does Verify(S,e) = M? • Practical PKI • Keys: • Alice Public = e • Alice password = d1 • Alice Cert = C • Alice appliance key = d2 • Signing: • Alice logs on to appliance using strong authentication and creates secure channel • Spartial = Sign(M,d2) • S = Sign(Spartial,d1) • Send [S, C] to Bob • Bob: • Gets e from C • Does Verify(S,e) = M?
Single Sign On • Cookie-based • Zero footprint on client • Lightweight footprint on servers • Certificate-based • Lightweight footprint on client • Zero or lightweight footprint on servers
SSO and Authentication • Authentication • Single factor • Two factor factor • Single sign on • Cookie based • Certificate based
Security Identity Appliance Roles • Appliance management roles • Consumer management roles • Consumer roles
System manager Security manager Appliance Management Roles • Supermanager • Not your usual root user • Security manager • System manager Supermanager Can-create but Cannot do
Consumer Management Roles • Consumer management roles manage consumer roles • Built in roles • Super-csr • Create-csr • Modify-csr • Read-only-csr
Create-csr Modify-csr Read-only-csr Consumer Management Roles Can-create but Cannot do Super-csr Consumer
Create- csr1 Modify- csr1 Read-only- csr1 Modify- csr2 Read-only- csr2 Consumer Management Roles Consumer1 userid user personal profile org1 roles org2 roles …..
Identity Management Processes • Provisioning • Enrollment • Registration • Revocation • Rights Management • Role and attribute assignment by Identity Management roles • Role revocation by Identity Management roles • Consumer self-administration • Password change • Password reset • Profile update (such as address, phone number, etc.) • Revocation
OneHealthPort Relying Party1 Trading Partner1 OneHealthPort Relying Party2 Trading Partner2 Relying Party-n Trading Partner-k
Secure Identity ApplianceTM The technology behind OneHealthPort