1 / 38

An Introduction to Information Card

An Introduction to Information Card. Barry Dorrans Charteris plc http://idunno.org. Internet Authentication. Patchwork of identity systems Criminalisation of the Internet Identity systems can be hard. Information Card is not Passport. Published standard User controls what gets sent

trapper
Download Presentation

An Introduction to Information Card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to Information Card Barry Dorrans Charteris plc http://idunno.org

  2. Internet Authentication Patchwork of identity systems Criminalisation of the Internet Identity systems can be hard

  3. Information Card is not Passport Published standard User controls what gets sent Anyone can issue information cards

  4. The Laws of Identity User control and consent Minimal disclosure Justifiable parties Directed Identity

  5. The Laws of Identity Pluralism of operators and technologies Human Integration Consistent Experience

  6. What is “Information Card” Identity Provider Relying Party WSTrust, WSSecure, SAML

  7. Types of Information Card Self Issued Managed

  8. Self Issued Information Card Created by user “Phone book” information

  9. Managed Information Card Issued by 3rd Party Information held at source Can be protected further

  10. Why “card”?

  11. What is “CardSpace” http://cardspace.netfx3.com/ Windows CardSpace  is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way.

  12. What is “CardSpace” Identity Selector Client Software Vista, XP, Win2003 with .NET 3.0

  13. CardSpace Security All communications are secured Information encrypted in memory Dual ACL protection

  14. The typical login process Login to identity provider Token issued to client Token sent to service provider Token validated with identity provider Output sent to client

  15. The Information Card process Service Provider Requests Identity CardSpace Identity Selector pops up Token is built by Identity Selector(with Identity Provider) Token sent to client Output sent to client

  16. What about OpenID?

  17. Identity Cards versus OpenID

  18. What do I need to accept cards? SSL Certificate Object tag in HTML Processing Code server side(ASP.NET must have access to cert)

  19. Why SSL? Used to identify relying party Tokens encrypted against it Revocation lists checked, hard to use self issued certs

  20. Hello Information Card <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </object>

  21. SAML http://www.oasis-open.org/ Assertion based. CardSpace is a SAML 2.0 “Enhanced Client Proxy”.

  22. The WS-Trust Conversation Query MEX EndPoint Build Asymmetric KeysTalk

  23. WS-Secure Token is encrypted using WS-Security .NET 3.0 provides classes to Un-encrypt Convert to SAML claims

  24. Understanding a token <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/ xmlenc#aes256-cbc" /> Shows the token has been encrypted with AES256 CBC Symmetric Algorithm Both originator and recipient share the key

  25. WS-Secure Key Protection <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/ xmlenc#rsa-oaep-mgf1p"> Shows the symmetric key is being conveyed via RSA-OAEP-MGF1P The sender has made up a transient key (AES) Encrypted that key with the recipient SSL public key.

  26. Where’s the token <enc:CipherData><enc:CipherValue> 77Ybo3C32JckPMD+lxm9t7KKxfQjMT8ojczrDs0i HsxJ3Q6i3B04RAGrOivLfqMYzYP4lZXsM2lF8cUs aVOTY9KqsJjpOBwyk37n9tw7pV6E3SXkHtXx92xl 5AqmjPeBdDI/syrIjgE1bpbn5sX5PpNoOmAbYSV2 . . . Wvl2o5ABIqvToMV1bp16Ns1ImSgxuB074kmAvAUx b/LXPXq1Gwcz2YtyaHMYSUvzzzYRuDH9qu0R6748 B/C1if4MeXHUqMPYaEQ+dhuzoVUMuy7/kQVP5ckb B0asMSqIiJp5B4vecBe/aGQo9AYNEwPv4xAB5cvr PBEG4TCFtSVyJkn2LcdwNzqmNqIewGMxawwUPgxe D2w== </enc:CipherValue> </enc:CipherData> That’s the SAML token

  27. Token Headers <saml:ConditionsNotBefore="2007-02-01T10:50:06.468Z" NotOnOrAfter="2007-02-01T11:50:06.468Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://www.fabrikam.com/Demos/Reading/signin4.html </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>

  28. And finally … the claims <saml:AttributeAttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> <saml:AttributeValue>Barry</saml:AttributeValue> </saml:Attribute> <saml:AttributeAttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> <saml:AttributeValue>wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uceNk=</saml:AttributeValue> </saml:Attribute>

  29. Supported Claims Anonymous, Authentication, AuthorizationDecision, Country, DateOfBirth, Dns, Email, Gender, GivenName, Hash, HomePhone, Locality, MobilePhone, Name, NameIdentifier, OtherPhone, PostalCode, PPID, RSA, SID, SPN, StateOrProvince, StreetAddress, Surname, System, Thumbprint, Upn, URI, WebPage, X500DistinguishedName

  30. Uniquely Identifying a card PPID for self issued cards Identity Provider Public Key & Unique claimfor managed cards

  31. Want to be an Identity Provider? EV SSL Security Token Service CRD delivery mechanism

  32. Things to ponder Validate self issued cards How much do you trust an IP?

  33. Tools Microsoft provide Client Side Kit ASP.NET Kit

  34. Blogs Kim Cameron http://identityblog.com VittorioBertocci http://blogs.msdn.com/vbertocc Garrett Serack http://fearthecowboy.com

  35. RP Code for ASP.NET ASP.NET Kithttp://go.microsoft.com/fwlink/?LinkId=89183 User Controlhttp://www.leastprivilege.com

  36. RP Code for other languages Ruby http://www.codeplex.com/informationcardruby Java http://www.codeplex.com/informationcardjava

  37. Identity Providers OpenID & Information Cards http://www.signon.com/ Live Labs Beta STS https://sts.labs.live.com/gettingstarted.aspx

  38. Questions? “Now, with the debut of the Info­Card identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.” Lawrence Lessig, Wired Magazine, March 2006.

More Related