Top 3 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove Christian PaquinSenior Program ManagerMicrosoft Corporation

SESSION CODE: SIA305

Identity landscape

More and more business/government servicesare migrated online

Improves convenienceReduces costs

High-value transactions require high-level of identity assuranceUsernames/passwords are ubiquitous, but provide low-security (NIST’s LoA)Conventional “enterprise” solutions (e.g., Kerberos, PKI) don’t scale or are not flexible enough for an internet-wide systemHow can you show some ID online, just like in real life?

Identity federation

Most popular proposed architectureVery flexibleEasy to deploy

Many protocols: WS-Federation/Trust, SAML,Information Cards, OpenID, OAuth, …

But many challengesSecurityPrivacyScalability

Federated architecture

Identity Provider (IdP) Relying Party (RP)

trust

1. Request access

2. Policy3. Tokenrequest 4. Token

response5. Token

STS

Client

Challenge #1: Security

Compromise IdP credential, access all RPsPhishing problem

Strong authentication to IdP is possible, but authentication to RP is weaker

Issued tokens are software only (token hijacking attacks, transferability)

IdP is all powerfulIdP (insider, malicious code) can surreptitiously act on the users’ behalf Selectively deny access

Challenge #2: Privacy

IdP can profile user’s activities

Even if IdP doesn’t learn the visited RP, profiling is possible by colluding parties (or insiders)

Timing correlationUnique correlation handles (e.g., digital signatures, serial numbers, etc.)

Challenge #3: Scalability

All tokens are retrieved on-demandIdP must be available 24/7

IdP is a central point of failureNice target for denial of service attack

IdP is a bottleneck for every user access

U-Prove technology

U-Prove Technology

Crypto technology combining the security of PKI with the flexibility of federation, providing privacy-by-design

Can be used to build various types of electronic credentials and entitlement documents

Has unique security, privacy, and efficiency benefits over “conventional” crypto tokens (X.509 certificates, SAML assertions, Kerberos tickets)

What’s new? Minimal disclosure!

U-Prove tokens contain no inescapable correlation handlesToken issuance and presentation are unlinkableThink “coins” vs. “bills”

Users can disclose a subset of the encoded claimsTo respond to unanticipated requests of RPsWithout invalidating the token integrity

Minimal disclosure illustrated

Gov

CohoWinery

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

Over-21: true

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

Over-21.: true

Minimal disclosure illustrated

CohoWinery

Prove that you are

over 21 and from WA

Which adult

from WA is this?

Gov

?

Name: Alice Smith

Address: 1234 Pine, Seattle, WA

Over-21: true

Underlying cryptoBased on the Brands protocols

30+ papers (from ‘93 onward)Evolution of PKIMIT Press book, foreword by Ron Rivest

Issuance uses a “restrictive blind signature”Issuer knows the attributes, but never sees the resulting public key and signature on tokens

Presentation uses a proof of knowledgeProve a secret without leaking any info about itGeneralization of the Schnorr protocol

U-Prove V1.0 token details

Federation + U-Prove

A. Tokenrequest B. Token

response

1. Request access

2. Policy

3. Token

STS

Client

trust

Identity Provider Relying Party

IPIP

Unimplemented U-Prove featuresDevice-protected tokensPrivacy-preserving revocationProving attribute propertiesLimited-use tokensZero-knowledge token presentationCensoring of token presentationHiding the Issuer’s identityToken recertification and updatingVerifiable attribute encryption

Key marketsE-Government (citizen identities)E-Health (health record management)Cloud computing (“don’t trust us” cloud providers)Document signing (with minimal disclosure)Advertising (privacy-respecting ad platform)E-CashSocial NetworkingDocument signing

Challenges, and how U-Prove helps

Scalability

Security

Privacy

Offline Mixed Online

Software Shared Hardware

Anonymity Pseudonymity Full identification

One technology to meet the desired levels of security, privacy, and scalability

U-Prove CTP

U-Prove Community Technology PreviewSpecifications (released under Open Specification Promise)

U-Prove crypto specification (addressing feature subset)Integration into the ID metasystem specification

Open-source crypto SDKs (implementing crypto spec)Posted on Code Gallery, under the BSD licenseC# and Java versions

Integration with Microsoft productsModified version of Windows CardSpace 2.0Extension to the Windows Identity FoundationModified version of Active Directory Federation Services 2.0

http://www.microsoft.com/u-prove

Integration with Microsoft products

Windows Identity FoundationU-Prove issuer key managementU-Prove aware STS for IdPU-Prove token handler for RP

Active Directory Federation Services 2.0IP-STSRP-STS

Windows CardSpace 2.0U-Prove aware information cardRetrieve, store, and present U-Prove tokens

Fraunhofer FOKUS / Microsoft demoSecure and privacy-protecting student information card derived from German eID card

VIDEO

Demo architecture

E-Book

OKS Feedback

Windows CardSpace 2.0

2. Prove registered student, view e-book online

3. Leave anonymous feedback

OKS Registration

German nPA card

1. Register online, get student information card

Active Directory Federation Services 2.0

Configuring WIF to use U-ProveRegister the U-Prove WIF Extension in the application

web.config

<compilation> <assemblies> … <add assembly="Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral,

PublicKeyToken=31BF3856AD364E35"/> </assemblies></compilation>…<microsoft.identityModel> <service> <serviceCertificate>…</serviceCertificate> <securityTokenHandlers> <add type="Microsoft.IdentityModel.UProve.Tokens.UProve.PresentationTokenHandler,

Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">

<issuerParametersStore type="SampleIssuerParametersStore, UProveUtil, Version=1.0.0.0, Culture=neutral" />

</add> </securityTokenHandlers> <audienceUris>…</audienceUris> </service></microsoft.identityModel>

Configuring AD FS 2.0 to use U-ProveUse PowerShell to setup the server

# Enable the EveryoneScopeEnable-ADFSRelyingPartyTrust -TargetName EveryoneScope

# Adjust the lifetime of issued U-Prove tokens# Set-ADFSRelyingPartyTrust -TargetName EveryoneScope -TokenLifetime 11520

# Adjust the number of U-Prove tokens issued# Set-ADFSProperties -DisconnectedTokenCount 25

# Generate Issuer parameters and private key (valid for 5 years)Set-ADFSIssuanceParameters -Lifetime 1825.00:00:00.00

# Export signed Issuer parameters$ipLocation = "c:\users\public\issuance.xml"Export-ADFSIssuanceParameters -Path c:\issuerparams.xml

# Update the information card to support for U-Prove tokensUpdate-ADFSInformationCard

Questions?

U-Prove ResourcesVideos:

Scott Charney’s RSA announcement: http://www.rsaconference.com/2010/usa/recordings/keynote-catalog.htm

Intro:http://channel9.msdn.com/shows/Identity/Announcing-Microsofts-U-Prove-Community-Technical-Preview-CTP

Technology overview:http://edge.technet.com/Media/Learn-what-Microsofts-U-Prove-release-is-all-about

U-Prove Community Technology Preview:Download location: http://www.microsoft.com/u-prove

Developer video: http://channel9.msdn.com/shows/Identity/U-Prove-CTP-a-developers-perspective/

Identity and Access Management

Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device

• Provide more secure, always-on access

• Enable access from virtually any device

• Extend powerful self-service capabilities to users

• Automate and simplify management tasks

PROTECT everywhere ACCESS anywhere

INTEGRATE and EXTEND security

SIMPLIFY security,MANAGE compliance

• Control access across organizations

• Provide standards-based interoperability

Business Ready Security Solutions

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Information Protection

Related ContentSIA321 |Business Ready Security: Exploring the Identity and Access Management SolutionSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-ProveSIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle BinSIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In ProductionSIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity ManagerSIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity ManagerSIA06-INT | Identity and Access Management Solution Demos

SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory

Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA