View
213
Download
0
Embed Size (px)
Citation preview
Government Online – White Paper Companion –
Copyright © 2007 Credentica Inc. All Rights Reserved.
This presentation is animated. Press the “space bar” to go
through the animation steps; wait until an animation finishes before pressing the “space bar”
again. If you missed an animation step, simply press the “left-arrow” key to rewind the
animation
Version 1.0
April 23, 2007
Copyright © 2007 Credentica Inc. All Rights Reserved.
Contents
• Introduction• Part I – Leading Industry Solutions
• Federated identity management (SSO)• Windows CardSpace (data sharing)
• Part II – Credentica’s Technology• Overview of ID Tokens• Secure SSO• Data sharing across unlinked accounts
Copyright © 2007 Credentica Inc. All Rights Reserved.
Introduction
• Goals of government online• Improve access to government services• Reduce costs and improve productivity• Improve participation in democratic process
• Current priorities• Single sign-on (SSO) to services• Data sharing across governmental departments
• Critical security and privacy requirements• Avoid unwanted tracing and linking powers• Prevent denial-of-service attacks• Prevent impersonation attacks• Prevent user fraud
Copyright © 2007 Credentica Inc. All Rights Reserved.
Each service knows the user under a local
identifier that may be different from the
user’s identity at the authority
With identity federation, services do not
authenticate users themselves but delegate
this step to a trusted authority that has already established authenticated relations with these users
Service A
Accounts
Service B
Accounts
Service C
Accounts
Authority
Accounts
Federated identity management (SSO)
Alice
I’m Alice
Who is
this?
Who are
you?
It’s 72985
92
Welcome
7298592
Who is
this?
It’s Alice
It’s 52094
81
Welcome
5209481
The user enjoys a single sign-on experience when
visiting other services from the same federation
in the same browsing session
Copyright © 2007 Credentica Inc. All Rights Reserved.
Authority
Accounts Service C
Accounts
Service B
Accounts
Service A
Accounts
Federated identity management (SSO)
Alice
5209481
7298592
2856387
Impersonator
Who is
this?
I don’t know
Who is
this?
It’s 72985
92
Welcome
7298592
In the context of government online, federated identity
management has several shortcomings. Firstly, the government would have
the capability to electronically link and
trace all user actions in real time
Secondly, the authority can deny targeted citizens
access to services by providing incorrect
authentication assertions
It’s Alice
Thirdly, the government would
have the capability to impersonate targeted
users
The user enjoys a single sign-on experience when
visiting other services from the same federation
in the same browsing session
Welcome
5209481
Alice
Copyright © 2007 Credentica Inc. All Rights Reserved.
Relying party
Accounts
Identity Provider
Accounts
Windows CardSpace (data sharing)
Alice
Are you over 18?
I’m Alice. Please assert
that I’m over 18
Welcome
Who is this?
It’s Alice
Over 18
Windows CardSpace enables users to directly transfer
claims from identity providers to relying
parties. Identity providers
authenticate users before issuing claims
about them
The shortcomings of Windows CardSpace in
the context of Government Online are
almost identical to those of federated identity
In collusion with relying parties it is trivial to trace all
presented claims to their issuance (either by
comparing issuing and presentation times or by
linking the provider’s signatures on the claims)
Copyright © 2007 Credentica Inc. All Rights Reserved.
Relying party
Accounts
Identity Provider
Accounts
Windows CardSpace (data sharing)
AliceJohn
Are you over 18?
I need to assert
that I’m over 18
I’m John. Please assert
that I’m over 18
Over 18
Welcome
Fraudulent users can transfer
(copies of) claims about themselves to other parties
In collusion with relying parties it is trivial to trace all
presented claims to their issuance (either by
comparing issuing and presentation times or by
linking the provider’s signatures on the claims)
It’s Alice
No I’m not…
Copyright © 2007 Credentica Inc. All Rights Reserved.
An ID Token is a cryptographically
protected container of identity-related
assertions that is issued to a user. An ID Token can contain any kind of attribute information that is bound to a key
pair
Attribute information contained in one or
more ID Tokens can be selectively disclosed in
response to unanticipated requests
from verifiers
Issuers can cryptographically bind ID Tokens to trusted
modules (such as smart cards or Trusted Computing chips) that
can enforce third-party security policies throughout the entire life cycle of the ID Tokens. A single low-cost device can protect arbitrarily many ID
Tokens
Overview of ID Tokens
Alice
Issuer Verifier
?ID Tokens cannot be forged or modified,
cannot be stolen through eavesdropping or phishing, and cannot
be replayed by legitimate verifiers
In contrast to conventional
technologies, the use of an ID Token does
not leak any information that
others could exploit to link or trace user
activities
The user presents the ID Token to a verifier,
either in the same session (in case of a
transient ID Token) or later (in case of a long-lived ID Token stored
by the user)
Consult the U-Prove SDK white paper companion presentation to learn more about ID Tokens
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Authority
Token Service
Service A
Accounts
Token ID Service
Service AName: Alice SmithDOB: 1973/08/24
Name: Alice SmithDOB: 1973/08/24
AliceS
Service A
<Page>
Token ID Service
a9e28b3c74
9b87f3c4dd2 (unlinked)
f88e37ba221 (unlinked)
(unlinked)Service A
Secure SSO
Service C
Accounts
Service B
Accounts
In an enrollment phase, Alice’s
computer obtains a batch of long-lived ID Tokens from a trusted
authorityWhen Alice subsequently accesses
and authenticates to a government service for the first time, her computer transmits a fresh ID Token to the service.
Alice’s computer uses a different ID Token with each government
service, and maintains a mapping of all of her ID Tokens to their
corresponding services
The service associates the ID Token it receives
from Alice with its account information on
her
In subsequent visits to a government service, Alice’s
computer authenticates using
the ID Token that the service has
associated with her account
Legacyauthentication
data+
Copyright © 2007 Credentica Inc. All Rights Reserved.
Alice
Service C
Accounts
Authority
Token Service
Service A
Accounts
Service B
Accounts
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Service BAddress: 1010 SherbrookePostal code: H3A 2R7
Service B
<Page>
Secure SSO
Name: Alice SmithDOB: 1973/08/24
AliceS
Token ID Service
a9e28b3c74 Service A
9b87f3c4dd2 Service B
f88e37ba221 Service C
As a result, the authority and the
services do not gain any correlation powers, neither
through data flow analysis nor through
timing analysis
In subsequent visits to a government service, Alice’s
computer authenticates using
the ID Token that the service has
associated with her account
Copyright © 2007 Credentica Inc. All Rights Reserved.
Service C
You need to be over 18 to access this service
Service C
Welcome
Service C
Accounts
Authority
Token Service
Service A
AccountsHereto they package data they hold about Alice into
ID Tokens that they provide to Alice,
protecting them against any unauthorized
manipulations
Alice
Name: Alice SmithDOB: 1973/08/24
AliceS Service B
Accounts
Service C
<Page>
Data sharing across unlinked accounts
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Service A
Over 18
Government services can securely share
data on Alice, without needing to know her
under a common identifier
Copyright © 2007 Credentica Inc. All Rights Reserved.
Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Name: Alice SmithDOB: 1973/08/24
AliceS
To prevent timing correlations, Alice can
obtain long-lived copies of her account data whenever she visits the services
Alice
Service C
Accounts
Authority
Token Service
Service B
Accounts
Service A
Accounts
Service B
Address
Postal code
Service A
Name
DOB
Data sharing across unlinked accounts
Hereto they package data they hold about Alice into
ID Tokens that they provide to Alice,
protecting them against any unauthorized
manipulations
Copyright © 2007 Credentica Inc. All Rights Reserved.
Name: Alice SmithDOB: 1973/08/24
AliceS Address: 1010 SherbrookePostal code: H3A 2R7
ASmith
Service B
Accounts
Authority
Token Service
When Alice subsequently accesses a service that
requires some information about her,
she selectively discloses only the minimal
assertion information needed from her long-
lived copies
Alice
Service C
Accounts
Service A
Accounts
Service C
Welcome
Service C
You must be over 18 and from Quebec to access this service.
Service A
Name
DOB
Service B
Address
Postal code
Service A
Name
DOB 18+
Service B
Address
Postal codeproof
Service C
<Page>
Service C
<Page>
Data sharing across unlinked accounts
To prevent timing correlations, Alice can
obtain long-lived copies of her account data whenever she visits the services