1 / 67

User-centric Identity

User-centric Identity. Diagram by Francis Shanahan. Hank Mauldin CE Meeting - February 26, 2008 Cisco Systems. This discussion represents the work done to date for a white paper on User-Centric Identity. Proposed a 1 year research project - 3 months into study

Download Presentation

User-centric Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. User-centric Identity Diagram by Francis Shanahan Hank Mauldin CE Meeting - February 26, 2008 Cisco Systems

  2. This discussion represents the work done to date for a white paper on User-Centric Identity. • Proposed a 1 year research project - 3 months into study • Explore a different area and new technologies in identity • No preconceived ideas or theories • Are there real solutions here? • Discover what are the advantages and disadvantages • Ultimately what is the impact on Cisco? • Can Cisco leverage these technologies? • Discussing promising technologies/protocols EDCS-647257 - first draft available

  3. Agenda • Introduction • Historical Perspective on Identity • Centralized Approach • Distributed Approach with Federation • User-centric Approach • Technologies • XRI • OpenID • OAuth • EV SSL Certificates • Information Cards • Do these technologies address user’s problems • Impact on Cisco

  4. Users have ‘zillions’ of digital identities… Facebook Linkedin newegg open social Amazon MySpace • eCommerce (e.g. Amazon, eBay) • Social Networking (e.g. LinkedIn) • Book club • Family eBay YouTube Audible VISA • Book club • Family del.ici.ous mortgage / rent • Professional networks • Dating networks Social Networks Online shopping wikipedia flickr paypal brokerage car loan 401k Source Forge Communities of Interest Personal Finance bank account AOL Yahoo Second Life • Second Life • Croquet • WOW • SharePoint Virtual Spaces MSN Core Croquet Google WOW YOU

  5. Common Issues for Users • Credential Management • Too many login ids and password combinations to remember or worse they are all the same • Using lowest strength credentials (passwords) for high value transactions • Ease of Use • Remembering which credentials to use with a site • Filling in the same information for registration forms at different sites • User Concern over personal information • Concern about the information collected by sites and what happens to the data after collection • Protection from impersonation and identity theft • Phishing • How does a user really know they are at the site they think they are? • Issue over vetting process of user’s identity • User proves identity by ownership of email address

  6. Identity Provider Terms MyOpenID Versign AOL User (Principal) • User: an actor requesting access to the network or an application within the network. • Service Provider (SP): From a principal’s perspective, a service provider is providing services and/or goods, typically through a website. • Identity Provider (IdP): A special service provider that manages identity information on behalf of principals and provides assertions of the principals authentication to other providers. • Relying Party (RP): A special service provider that is the recipient of a message that relies on a request message and associated assertions to determine whether to provide a requested service. Relying Party eBay Amazon FaceBook Flickr

  7. Relying Party Identity Provider Relationship between entities Authenticates User (Principal) Uses services Trusts Trust is the foundation of any security model. Trust is the expression between entities that one entity will believe statements (claims) made by another entity; it is based on evidence – history, experience, contracts, etc. – and risk tolerance.

  8. Identity Provider Basic Use Case 3 2 4 User (Principal) 1 User tries to access protected resource User needs to be authenticated - browser redirected to Identity Provider User is authenticated by Identity Provider Authentication assertion sent to Relying Party Relying Party

  9. Relying Party User (Principal) Identity Provider Concept of user-centric identity • User in the middle of transaction • User has a consistent user experience • User is in control of their personal attributes

  10. Historical Perspective Diagram by Francis Shanahan

  11. Liberty “Phase 1” Liberty ID-FF 1.2 Liberty ID-FF 1.1 Shibboleth 1.2 Shibboleth 1.3 Shibboleth 1.0/1.1 SAML 1.1 SAML 1.0 OpenID 2.0 WS-* Specifications (WS-Federation) CardSpace XRI i-names SAML 2.0 OpenID 1.0 sxip Higgins LID 2000 2001 2002 2003 2004 2005 2006 2007 Timeline Centralized Approach Microsoft .Net Passport Windows Live ID Distributed Approaches with Federation User-centric Approaches Information Cards URL-based XRI-based

  12. Higgins User-centric approaches • URL-based • LID • sxip • OpenID • XRI-based • i-names • Information Cards • CardSpace • Higgins • Bandit project

  13. OpenID 2.0 • Open, decentralized, free framework • Can transform an existing URI from one’s blog, profile page, etc. to be an identifier • IdP discovery is built into the URI • Authentication scheme provides a way to prove that a principal owns an Identity URL without passing around their password or email address. • Light-weight default trust model • Ease of integration into scripted web platforms

  14. Permission-based Resolution i-names (XRI) Privacy Barrier Email Addresses Postal Addresses Phone Numbers Fax Numbers Current Location An i-name is a new “superaddress” that gives its owner complete control over its use Any attribute referenced by a URI or encoded in XML • i-names are called unified digital addresses • Human readable (i-numbers are machine readable) • Provides an address one can keep for life

  15. Information Cards • CardSpace • Central feature is the identity selector - allows one to pick a credential visually represented as a card to send to an RP • Token-based system • Two types of cards supported: • Personal cards - self issued • Managed cards - provided by identity providers • Separation of authentication and storage of personal information • Microsoft has released all their associated IP • Higgins • Provides a software infrastructure to support all the popular digital identity protocols • Extends types of cards - r-cards, z-cards, & s-cards • Selectors available for Windows, Linux and Mac OS X • Bandit • Currently providing a CardSpace compatible card selector for Linux and Mac OS X based on the Higgins card selector

  16. Summary of Identity Spaces Credit for this Venn Diagram goes to Paul Madsen and Johannes Ernst

  17. OSIS (Open Source Identity System) URL-based(grassroots, open source, blogging) • Microsoft • IBM • Verisign • Red Hat • Novell • Cordance • Higgins • Shibboleth • Sxip • Sun • NetMesh Identifier-basedparadigm OSIS started to bring together identity-related projects in order to synchronize and harmonize the construction of an interoperable identity layer for the Internet. Identityin 2007 OSIS Agreement “historic development” (ZDNet) Invisibleto the user SAML-based (Liberty Alliancecompanies) WS-*-based (MicrosoftVista) Card-basedparadigm

  18. Technologies Diagram by Francis Shanahan

  19. XRI • OpenID • OAuth • EV SSL Certificates • CardSpace • Higgins

  20. XRI (Extensible Resource Identifier) • XRIs can identify people, organizations, concepts, applications, devices, digital objects or anything else • XRI builds on the IRI (International Resource Identifier, RFC 3987) by extending the syntax • XRI start with “xri://” followed an authority segment and a path portion (if any) • xri://broadview.library.example.com/(urn:isbn:0-395-36341-1) • The idea is that web addresses evolve from URLs to XRIs • Foundational technology for XDI (XRI Data Interchange), the Higgins project and useful for OpenID

  21. XRI Characteristics • XRIs come in pairs • i-name which is human readable and changeable • i-number which is permanent (links use the i-number) • Adds a layer of indirection on top of DNS- and IP-based URLs to enable better control over their persistent identity • This indirection allows semantic mapping for sharing of identifiers across domains • Reserved global context symbols: • + , for general dictionary tags like +blog, +salmon, +love • $, for special dictionary tags like $d (date), $v (version) • =, for a personal persistent address like =hank.mauldin • @, for an organization like @example.company • When using global context symbols, one does not need to use a protocol prefix (xri://)

  22. Extended Validation SSL Certificates • Phishing scams are a big issue • Answer needs to address two issues • Provide a method that ensures users know the true owner of a website • Provide a browser interface that makes it easy to see the identity when its known and recognize when it isn’t • Proposed Answer is a new category of SSL certificate with an issuing process that helps ensure the entity is who it claims to be, and browser modifications

  23. EV Certificate Guidelines • CA/Browser Forum consisting of CAs, Internet browser vendors and American Bar Assoc. released version 1.0 of EV Certificate Guidelines for a new EV certificate. • Uses existing SSL certificate format, but provides a strictly enforced issuance policy with revocation measures. • The issuers must: • Verify the legal, physical and operational existence of identity • Verify the identity of entity matches official records • Verify the entity has exclusive rights to use domain specified in certificate • Verify the entity has properly authorized the issuance of the EV certificate

  24. EV Browser Modifications • When a browser visits a site secured with a EV certificate, the address bar will turn green and display the name of the organization listed in the certificate as well as the issuing CA. • If on a bogus site, the address bar will not display green • The security status bar shows the transaction was encrypted and the organization has been authenticated • Microsoft IE 7 is first browser to meet the new standard • FireFox browsers have a plug-in available

  25. Example of Address & Security Bar

  26. Thoughts on EV SSL Certs • Appears to be a step in the right direction • One concern is the cost of the new certificate • New CA vendors dependent on browser vendors • It seems to be a couple of years away for wide spread use, but some companies (eBay and PayPal) are already using these certs.

  27. OpenID 2.0 • Fastest growing user-centric identity system • Because AOL (63 million users) and Yahoo (248 million users) provided all their users with OpenIDs automatically • Specifically addresses web single sign-on (SSO) use cases • Replace the self generated usernames & passwords with a single login credential • Provides simple attribute exchange • Only requires an unmodified browser • Light-weight protocols and easy for RPs to implement

  28. User OpenID Protocol Drilldown Client 1 User wants to access their LiveJournal blog 3 Authentication 2 Redirected to myOpenID.com 4 Redirected back to LiveJournal account http://mosby.myopenid.com Relying Party(RP) Identity Provider(IdP) http://openid.aol.com/screenname =hank.mauldin

  29. OpenID Concerns • No real trust framework • Basic principle between IdP and RP is to TRUST • Advantage: IdPs and RPs can work together without prior relationships • Neutral: only good for low value transactions such as blog or wiki comments • Concern: OpenID potentially makes the Phishing problem worst • A person can put up a great site that takes OpenID and phish the Identity Providers site to harvest the user’s credentials

  30. OpenID Concerns (continued) • Concern: User has one unique identifier and so a IdP can track all the websites a user logs into. • Cross site profiling would be easy • Privacy issue for users • Cannot be used for delegation of authority (instead using OAuth) • Neutral: If person uses a domain-name URL as their OpenID, they must be careful not to lose the domain name (expires, and not renewed) • Neutral: Unclear what the business case is for the smaller IdPs (OpenID Providers) • Giving away free OpenIDs

  31. Thoughts on OpenID • Top 4 issues the OpenID community wants to fix • Solve the Phishing issue • Make the UI experience a little less geeky (typing in URLs) • Single Sign-out • Optimize performance • My belief is they will move towards using a combination of EV SSL certificates and Information Cards to solve the first issue above • Microsoft, IBM, Google, Yahoo and Verisign have joined the OpenID Foundation Board - announced February 2008

  32. OAuth • OAuth Core version 1.0 is released • Offers secure delegation of authority • Complements rather than replaces authentication • Extends the usefulness of OpenID • Brings together in one standardized way delegation of authority by many of the major well established security protocols • Google AuthSub • AOL OpenAuth • Yahoo BBAuth • Upcoming API • Flickr API • Amazon Web Services API

  33. Higgins Information Cards • Microsoft Identity Metasystem • CardSpace • Higgins project • Bandit

  34. Seven Laws of Identity • Kim Cameron (Microsoft) developed the 7 laws which shaped the design of the Identity Metasystem • The Seven Laws are: • User Control and Consent - only reveal information with user’s consent • Minimal Disclosure - release least amount of information and limit its use • Justifiable Parties - limit to entities that are necessary in identity relationship • Directed Identity - protect against correlation across services • Pluralism of Operators - enable multiple technologies and identity providers • Human Integration - integrated into system and protect against id attacks • Consistent Experience - provide simple, consistent experience across different contexts

  35. Identity Metasystem Concepts • Digital Identity: A set of claimsin a security token provided by (and about) a user • Roles in the identity meta-system: • User (subject) • Identity Provider • Relying Party • Protocol: • User goes to site for a resource • User is asked for identity (and required claims) from RP • User chooses an identity provider • Identity provider gives user a security token (meeting required claims) • User passes the token to the RP

  36. WS-* MetaSystem Architecture Kerberos X.509 SAML X.509, Kerberos,Custom WS-Trust, WS-MetadataExchange, WS-Security Relying Party (Token Requirements) Identity Provider (Token Capabilities) Identity Provider (Token Capabilities) Relying Party (Token Requirements) WS-SecurityPolicy STS WS-SecurityPolicy WS-SecurityPolicy STS WS-SecurityPolicy Identity Selector Subject

  37. CardSpace Protocol Drilldown User approves release of token 7 Windows CardSpace Client 4 User selects an IdP Client wants to access a resource 1 User Request security token (authentication required e.g. X509, Kerberos, username/pwd, self-issued token) 5 3 Which IdPs can satisfy requirements? RP provides identity requirements 2 6 Return security token based on RP’s requirements (any format) – and optional signed display token Token released to RP (RP reads token and allows access) 8 Identity Provider(IdP) Relying Party(RP)

  38. CardSpace Card Selector

  39. CardSpace Cards Self-Issued Card Managed Cards • Contains claims about my identity that I assert • Fixed set of claims • Not corroborated • Card and data stored locally • Signed and encrypted to prevent replay attacks • Presented by user during account sign-up • Created and signed by IdPs, such as banks, stores, government, clubs, etc. • Provisions .CRD file via email, website, group policy etc. which user installs • Locally stored cards contain metadata only (not values) • Data stored at Identity Provider and obtained only when card submitted (from STS)

  40. CardSpace Environment (secure shell) Runs under separate desktop and restricted account Isolates CardSpace runtime from Windows desktop – no programmatic access All data encrypted (inc. memory) until use All parties strongly identified Privacy RP can be hidden from IdP Signing key for self-issued token varies for each RP User controls release of information Cards can be protected with a PIN Parties must identify themselves via Trust Dialog Verifies provided certificate for all parties that interact with user RP: Appears on first visit, IdP: when user imports card CardSpace Security

  41. Advantages: Replace login ids & passwords with cryptographically strong tokens containing identity claims Consistent login and registration Centers around a simple to use Identity Selector Digital identities represented by cards Multi-factor authentication Helps avoid phishing Users in control Disadvantage: Not a single sign-in solution Concerns: Identity portability Revocation Thoughts on CardSpace

  42. Higgins Project • Higgins provides the same user experience as CardSpace • It functions with the same card metaphor, but extends the types of cards • However, Higgins is a framework to provide interoperability between different identity systems • An abstraction layer for identity and social networking services • Allows plug-ins from different contexts

  43. Web Services Eclipse Rich Client Platforms Browser extensions Information Card Selector End User Applications Interoperability Framework Identity Selector Service (ISS) Relying Party Policy/Tags Higgins Browser Extension (HBX) STS Plug-ins Plug-ins Plug-ins Context Providers CardSpace OpenID SAML Application Programming Interface (API) Context Data Sources: LDAP AD Files Directories Social Networks Databases Identity Attribute Service (IdAS) Context Provider Interface (CPI) Higgins Framework

  44. Identity Attribute Service (IdAS) • Aggregate and federate identity information • Uses the Higgins Data Model • Represents an identity and its attributes in a context • The plug-ins enable the IdAS to read and data from the contexts and map the data to the Higgins Data model • Each context can may have its own ontology defined using higgins.owl

  45. Interoperability Requirements for interoperability Common data model API abstraction/framework Schema mapping #1 addressed by Higgins #2 can be addressed using the Higgins Identity Attribute Service (aka IdAS) #3 addressed by industry collaborations within Identity Commons and other groups 45

  46. Digital Subject Relation attribute “Normal” attributes (e.g. String, number, boolean, etc.) A profile Correlation attribute (a specialization of relation) = Digital Subject that represent entity #1 (e.g. you) = Digital Subject that represents some entity other than #1 (e.g. someone other than you) Digital Subjects and their attributes • Digital Subjects are representations of entities (e.g. real world people, groups, organizations, etc.) • Digital Subjects are sets of identity, profile andrelationship attributes

  47. Personal i-card Hank Mauldin i-cards • Store credentials, profiles, personal data, and social networks –not just for sign-in! • New types of i-cards defined • r-cards (relationship cards) • data partially owned by both entities • s-cards (SAML cards) • for interoperability with SAML 2.0 • z-cards (zero-knowledge cards) • selectively disclosure of claims • zero-knowledge proofs • sole authority over claim values • IBM to deliver based on their idemix technology Hank Mauldin

  48. Bandit Card Selector showing claims

  49. Higgins 1.0 Development done by 12/31 Supports the self-issued and managed cards Ongoing series of multi-company (Microsoft, etc.) interoperability events for the past year and ongoing IBM and Novell have announced they will ship Higgins based products Parity is offering to host Higgins based services Higgins software project status 49

  50. Thoughts on Higgins • In general, I believe the card metaphor will succeed in the market place • Higgins has already shown it can interoperate with CardSpace • Several influential vendors (IBM, Novell) are committed to delivering Higgins implementations • A large challenge to meet their goals for the framework, especially around the data model and schemas

More Related