Upload
loren-burns
View
213
Download
1
Embed Size (px)
Citation preview
Top 3 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove Christian PaquinSenior Program ManagerMicrosoft Corporation
SESSION CODE: SIA305
Identity landscape
More and more business/government servicesare migrated online
Improves convenienceReduces costs
High-value transactions require high-level of identity assuranceUsernames/passwords are ubiquitous, but provide low-security (NIST’s LoA)Conventional “enterprise” solutions (e.g., Kerberos, PKI) don’t scale or are not flexible enough for an internet-wide systemHow can you show some ID online, just like in real life?
Identity federation
Most popular proposed architectureVery flexibleEasy to deploy
Many protocols: WS-Federation/Trust, SAML,Information Cards, OpenID, OAuth, …
But many challengesSecurityPrivacyScalability
Federated architecture
Identity Provider (IdP) Relying Party (RP)
trust
1. Request access
2. Policy3. Tokenrequest 4. Token
response5. Token
STS
Client
Challenge #1: Security
Compromise IdP credential, access all RPsPhishing problem
Strong authentication to IdP is possible, but authentication to RP is weaker
Issued tokens are software only (token hijacking attacks, transferability)
IdP is all powerfulIdP (insider, malicious code) can surreptitiously act on the users’ behalf Selectively deny access
Challenge #2: Privacy
IdP can profile user’s activities
Even if IdP doesn’t learn the visited RP, profiling is possible by colluding parties (or insiders)
Timing correlationUnique correlation handles (e.g., digital signatures, serial numbers, etc.)
Challenge #3: Scalability
All tokens are retrieved on-demandIdP must be available 24/7
IdP is a central point of failureNice target for denial of service attack
IdP is a bottleneck for every user access
U-Prove technology
U-Prove Technology
Crypto technology combining the security of PKI with the flexibility of federation, providing privacy-by-design
Can be used to build various types of electronic credentials and entitlement documents
Has unique security, privacy, and efficiency benefits over “conventional” crypto tokens (X.509 certificates, SAML assertions, Kerberos tickets)
What’s new? Minimal disclosure!
U-Prove tokens contain no inescapable correlation handlesToken issuance and presentation are unlinkableThink “coins” vs. “bills”
Users can disclose a subset of the encoded claimsTo respond to unanticipated requests of RPsWithout invalidating the token integrity
Minimal disclosure illustrated
Gov
CohoWinery
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
Over-21: true
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
Over-21.: true
Minimal disclosure illustrated
CohoWinery
Prove that you are
over 21 and from WA
Which adult
from WA is this?
Gov
?
Name: Alice Smith
Address: 1234 Pine, Seattle, WA
Over-21: true
Underlying cryptoBased on the Brands protocols
30+ papers (from ‘93 onward)Evolution of PKIMIT Press book, foreword by Ron Rivest
Issuance uses a “restrictive blind signature”Issuer knows the attributes, but never sees the resulting public key and signature on tokens
Presentation uses a proof of knowledgeProve a secret without leaking any info about itGeneralization of the Schnorr protocol
U-Prove V1.0 token details
Federation + U-Prove
A. Tokenrequest B. Token
response
1. Request access
2. Policy
3. Token
STS
Client
trust
Identity Provider Relying Party
IPIP
Unimplemented U-Prove featuresDevice-protected tokensPrivacy-preserving revocationProving attribute propertiesLimited-use tokensZero-knowledge token presentationCensoring of token presentationHiding the Issuer’s identityToken recertification and updatingVerifiable attribute encryption
Key marketsE-Government (citizen identities)E-Health (health record management)Cloud computing (“don’t trust us” cloud providers)Document signing (with minimal disclosure)Advertising (privacy-respecting ad platform)E-CashSocial NetworkingDocument signing
Challenges, and how U-Prove helps
Scalability
Security
Privacy
Offline Mixed Online
Software Shared Hardware
Anonymity Pseudonymity Full identification
One technology to meet the desired levels of security, privacy, and scalability
U-Prove CTP
U-Prove Community Technology PreviewSpecifications (released under Open Specification Promise)
U-Prove crypto specification (addressing feature subset)Integration into the ID metasystem specification
Open-source crypto SDKs (implementing crypto spec)Posted on Code Gallery, under the BSD licenseC# and Java versions
Integration with Microsoft productsModified version of Windows CardSpace 2.0Extension to the Windows Identity FoundationModified version of Active Directory Federation Services 2.0
http://www.microsoft.com/u-prove
Integration with Microsoft products
Windows Identity FoundationU-Prove issuer key managementU-Prove aware STS for IdPU-Prove token handler for RP
Active Directory Federation Services 2.0IP-STSRP-STS
Windows CardSpace 2.0U-Prove aware information cardRetrieve, store, and present U-Prove tokens
Fraunhofer FOKUS / Microsoft demoSecure and privacy-protecting student information card derived from German eID card
VIDEO
Demo architecture
E-Book
OKS Feedback
Windows CardSpace 2.0
2. Prove registered student, view e-book online
3. Leave anonymous feedback
OKS Registration
German nPA card
1. Register online, get student information card
Active Directory Federation Services 2.0
Configuring WIF to use U-ProveRegister the U-Prove WIF Extension in the application
web.config
<compilation> <assemblies> … <add assembly="Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/> </assemblies></compilation>…<microsoft.identityModel> <service> <serviceCertificate>…</serviceCertificate> <securityTokenHandlers> <add type="Microsoft.IdentityModel.UProve.Tokens.UProve.PresentationTokenHandler,
Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<issuerParametersStore type="SampleIssuerParametersStore, UProveUtil, Version=1.0.0.0, Culture=neutral" />
</add> </securityTokenHandlers> <audienceUris>…</audienceUris> </service></microsoft.identityModel>
Configuring AD FS 2.0 to use U-ProveUse PowerShell to setup the server
# Enable the EveryoneScopeEnable-ADFSRelyingPartyTrust -TargetName EveryoneScope
# Adjust the lifetime of issued U-Prove tokens# Set-ADFSRelyingPartyTrust -TargetName EveryoneScope -TokenLifetime 11520
# Adjust the number of U-Prove tokens issued# Set-ADFSProperties -DisconnectedTokenCount 25
# Generate Issuer parameters and private key (valid for 5 years)Set-ADFSIssuanceParameters -Lifetime 1825.00:00:00.00
# Export signed Issuer parameters$ipLocation = "c:\users\public\issuance.xml"Export-ADFSIssuanceParameters -Path c:\issuerparams.xml
# Update the information card to support for U-Prove tokensUpdate-ADFSInformationCard
Questions?
U-Prove ResourcesVideos:
Scott Charney’s RSA announcement: http://www.rsaconference.com/2010/usa/recordings/keynote-catalog.htm
Intro:http://channel9.msdn.com/shows/Identity/Announcing-Microsofts-U-Prove-Community-Technical-Preview-CTP
Technology overview:http://edge.technet.com/Media/Learn-what-Microsofts-U-Prove-release-is-all-about
U-Prove Community Technology Preview:Download location: http://www.microsoft.com/u-prove
Developer video: http://channel9.msdn.com/shows/Identity/U-Prove-CTP-a-developers-perspective/
Identity and Access Management
Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device
• Provide more secure, always-on access
• Enable access from virtually any device
• Extend powerful self-service capabilities to users
• Automate and simplify management tasks
PROTECT everywhere ACCESS anywhere
INTEGRATE and EXTEND security
SIMPLIFY security,MANAGE compliance
• Control access across organizations
• Provide standards-based interoperability
Business Ready Security Solutions
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Information Protection
Related ContentSIA321 |Business Ready Security: Exploring the Identity and Access Management SolutionSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-ProveSIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle BinSIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In ProductionSIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity ManagerSIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity ManagerSIA06-INT | Identity and Access Management Solution Demos
SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA