Notarized Federated Identity Management for Web Services Michael T. Goodrich Roberto Tamassia Danfeng Yao Brown University University of California, Irvine

Notarized Federated Notarized Federated Identity Management for Identity Management for

Web ServicesWeb Services

Michael T. GoodrichMichael T. Goodrich Roberto Tamassia Roberto Tamassia Danfeng Yao Danfeng Yao Brown UniversityBrown UniversityUniversity of California, IrvineUniversity of California, Irvine

Work supported in part by the National Science Foundation Work supported in part by the National Science Foundation and by IAM Technology, Inc.and by IAM Technology, Inc.

DBSec 2006DBSec 2006 Notarized Federated Identity ManagementNotarized Federated Identity Management 22

OutlineOutline

Introduction to federated identity management Introduction to federated identity management (FIM) (FIM)

Notarized federated identity management model Notarized federated identity management model and protocoland protocol

STMS and its application in notarized FIMSTMS and its application in notarized FIM Identity theft and proposed countermeasureIdentity theft and proposed countermeasure


MotivationMotivation Digital identity management (DIM) Digital identity management (DIM)

To protect sensitive personal information in on-line transactionsTo protect sensitive personal information in on-line transactions Users tend to choose weak passwordsUsers tend to choose weak passwords

As the number of passwords to remember increasesAs the number of passwords to remember increases Single sign-on (SSO) and federated identity Single sign-on (SSO) and federated identity

management management A user logs in only once to a site, then is automatically A user logs in only once to a site, then is automatically

authenticatedauthenticated Cookie-based SSO approach (used by Microsoft Cookie-based SSO approach (used by Microsoft

Passport)Passport) Does not support cross-domain single sign-onDoes not support cross-domain single sign-on

Approach using cryptographic-enabled assertionsApproach using cryptographic-enabled assertions Secure Assertion Markup Language (SAML)Secure Assertion Markup Language (SAML)


SSO and FIMSSO and FIM


Provider model in SAMLProvider model in SAML

Specially designed for general cross-domain Specially designed for general cross-domain single sign-onsingle sign-on

Identity Provider (IdP)Identity Provider (IdP) IdP is the system that asserts information about a IdP is the system that asserts information about a

subjectsubject Service Provider (SeP)Service Provider (SeP)

SeP is the system that relies on the information SeP is the system that relies on the information supplied to it by the identity providersupplied to it by the identity provider

Relying partyRelying party Used in Liberty Alliance Federated Identity Used in Liberty Alliance Federated Identity

Management for single sign-onManagement for single sign-on


Identity FederationIdentity Federation

Websites of different admin domains need to trust each Websites of different admin domains need to trust each other's access control verdicts other's access control verdicts

Circle of trustCircle of trust IssuesIssues

How to securely maintain the identity federation when members How to securely maintain the identity federation when members may leave or join the circle of trust?may leave or join the circle of trust?

How to provide separation of IdP and SeP for the privacy How to provide separation of IdP and SeP for the privacy protection of the user?protection of the user?

These questions have not been extensively studiedThese questions have not been extensively studied Existing SSO solutions assume pre-established trust relationship Existing SSO solutions assume pre-established trust relationship

among providersamong providers IdP and SeP communicate to each other during SSO processIdP and SeP communicate to each other during SSO process


Notarized Federated Identity Notarized Federated Identity Management Management

We introduce a trusted third-party, called We introduce a trusted third-party, called notary notary serverserver

The notary information of an assertion provides The notary information of an assertion provides its trustworthiness its trustworthiness

Distributed implementation of the notarized Distributed implementation of the notarized federated identity management framework using federated identity management framework using STMSSTMS

We also present a robust authentication protocol We also present a robust authentication protocol that is resilient against identity theft attacks, that is resilient against identity theft attacks, using identity-based encryptionusing identity-based encryption


NotarizationNotarization

Notary server Notary server Third party trusted by identity providers and service Third party trusted by identity providers and service

providersproviders Notarizes assertions submitted by identity providers Notarizes assertions submitted by identity providers Answers queries on notarized assertions asked by the Answers queries on notarized assertions asked by the

service providersservice providers Prevents direct communication between the identity Prevents direct communication between the identity

provider and the service providerprovider and the service provider Notarized assertionNotarized assertion

Generated by identity providerGenerated by identity provider Authenticated by notary serverAuthenticated by notary server Trusted by service providerTrusted by service provider


Security RequirementsSecurity Requirements

Security Security A polynomial-time adversary cannot forge a valid A polynomial-time adversary cannot forge a valid

notarized assertionnotarized assertion SecrecySecrecy

Notarized assertion should not leak sensitive Notarized assertion should not leak sensitive information of a user to unauthorized parties, information of a user to unauthorized parties, including the notary serverincluding the notary server

AccountabilityAccountability Identity providers should be held accountable for the Identity providers should be held accountable for the

assertions that they generate; and for any assertions that they generate; and for any unauthorized information disclosure about the userunauthorized information disclosure about the user


Overview of Notarized FIMOverview of Notarized FIM

SePSePUserUser

IdPIdP

Notary Notary ServerServer

1. Service request1. Service request

2. S_ID, attr. 2. S_ID, attr. namesnames

8. Notarized blinded assertion8. Notarized blinded assertion

3. Authenticates3. Authenticates

4. Signed S_ID, 4. Signed S_ID, attr. namesattr. names

5. Signed blinded 5. Signed blinded assertion with assertion with hashed_IDhashed_ID

6. Query for hashed_ID6. Query for hashed_ID

7. Notarized blinded assertion 7. Notarized blinded assertion

9. Unblind 9. Unblind and verifyand verify

S_ID: session IDS_ID: session IDHashed_ID: hashed S_IDHashed_ID: hashed S_IDAttr. Name: name of attribute required by SePAttr. Name: name of attribute required by SeP


Protocol Design ChallengesProtocol Design Challenges

How to protect the identity of the user from the service How to protect the identity of the user from the service provider?provider?

How to blind the content of an assertion from the notary How to blind the content of an assertion from the notary server?server?

How to unblind by the service provider?How to unblind by the service provider? How to hold the identity provider accountable for How to hold the identity provider accountable for

unauthorized disclosure?unauthorized disclosure? Our solution uses lightweight crypto primitives Our solution uses lightweight crypto primitives

hash functionhash function XORXOR symmetric encryptionsymmetric encryption digital signature digital signature


Implementation of NotarizedImplementation of NotarizedFIM ProtocolFIM Protocol

Two public parameters Two public parameters PP11, P, P22 The user and SeP compute a session_ID The user and SeP compute a session_ID NN

XOR each party’s random stringXOR each party’s random string The user requests IdP to generate assertions The user requests IdP to generate assertions

Signed request to IdP for accountabilitySigned request to IdP for accountability IdP blinds an assertion IdP blinds an assertion

Computes the hashed_ID Computes the hashed_ID h = Hash(N, Ph = Hash(N, P11)) Generates an assertion Generates an assertion SS using using hh for index for index Computes the blinding factor Computes the blinding factor K = Hash(N, PK = Hash(N, P22)) Encrypts Encrypts SS with with KK using a symmetric encryption scheme using a symmetric encryption scheme Blinded assertion is called S’Blinded assertion is called S’

IdP submits an assertion to the notary serverIdP submits an assertion to the notary server Sign Sign S’S’ with its private key with its private key Notary server stores Notary server stores S’S’, and stores the signature for , and stores the signature for

accountabilityaccountability


Implementation of the notarized Implementation of the notarized FIM protocol (Cont’d)FIM protocol (Cont’d)

The user queries for an assertion of a hashed_IDThe user queries for an assertion of a hashed_ID Computes the hashed_ID Computes the hashed_ID h = Hash(N, Ph = Hash(N, P11)) Queries the notary server for assertions of Queries the notary server for assertions of hh

Notary server notarizes an assertionNotary server notarizes an assertion Retrieves the blinded assertion Retrieves the blinded assertion S’S’ Signature approach: Signs Signature approach: Signs S’S’ with its private key with its private key STMS approach: computes the proof for STMS approach: computes the proof for S’S’

The user unblinds and verifies an assertionThe user unblinds and verifies an assertion The user verifies the notary informationThe user verifies the notary information Computes the blinding factor Computes the blinding factor K = Hash(N, PK = Hash(N, P22)) Decrypts Decrypts S’S’ with with KK and obtains and obtains SS Detect unauthorized information disclosureDetect unauthorized information disclosure

The service provider unblinds and verifies the assertionThe service provider unblinds and verifies the assertion


Privacy and AccountabilityPrivacy and Accountability

S_ID, S_ID, assertionassertion

Blinded Blinded assertionassertion

UserUser IdPIdP SePSeP

Notary Notary ServerServer

AccessAccess

AccessesAccesses

IdPIdP

UserUserStored byStored by

SignsSigns

Request Request for attributesfor attributes

AssertionsAssertionsto notaryto notary

SignsSigns

Stored byStored by Notary Notary ServerServer

IdPIdP


Notary server realization: STMSNotary server realization: STMS The Secure Transaction Management System The Secure Transaction Management System

[Goodrich, Tamassia et al.] implements an authenticated [Goodrich, Tamassia et al.] implements an authenticated dictionarydictionary

SourceSource

Responder AResponder A

Responder BResponder BDSDS

DSDS

DSDS

tt

Basis Basis (signed)(signed)UpdatesUpdates

UserUser

QueryQuery

ResponseResponse

AnswerAnswerProofProofBasis (signed)Basis (signed)

tt


STMS in Notarized FIMSTMS in Notarized FIM

NotaryNotarySourceSource

SePSePUserUser

IdPIdP


2. S_ID, attr. 2. S_ID, attr. namesnames








Signed STMS Signed STMS basis, updates per basis, updates per time quantumtime quantum

NotaryNotaryResponderResponder


Outline of the talkOutline of the talk

Introduction to federated ID Introduction to federated ID Provider model in SAMLProvider model in SAML Notarized federated identity management model Notarized federated identity management model

and protocoland protocol Identity theft and countermeasureIdentity theft and countermeasure


An authentication protocol robust An authentication protocol robust against identity theftagainst identity theft

Identity theft causesIdentity theft causes Private information insecurely stored and enteredPrivate information insecurely stored and entered

• On credit card company’s computers, in DMV’s cabinets, in your bank, in On credit card company’s computers, in DMV’s cabinets, in your bank, in your trash can …your trash can …

How to proactively control the release of your private information?How to proactively control the release of your private information? Secure storageSecure storage

• Prevent dumpster divingPrevent dumpster diving Safe disclosureSafe disclosure

• Prevent shoulder surfingPrevent shoulder surfing With minimal changes to current financial and administrative With minimal changes to current financial and administrative

infrastructureinfrastructure Existing approachesExisting approaches

Centralized processing Centralized processing Heavy-weight Zero-knowledge proofsHeavy-weight Zero-knowledge proofs

Our approachOur approach To design a lightweight authentication protocol using identity-based To design a lightweight authentication protocol using identity-based

encryptionencryption


An authentication protocol with identity-based encryption

UserUserIdentityIdentityProviderProvider

3. Submits 3. Submits identity-identity-based public key based public key forfor

authenticationauthentication

6. Is the6. Is the identity-basedidentity-basedpublic keypublic key revoked?revoked?

1. 1. Registers Registers identity-basedidentity-basedpublic keypublic key

2. Issues corresponding2. Issues correspondingprivate keyprivate key

RevocationRevocationServerServer Periodic updates ofPeriodic updates of

revokedrevoked identity-basedidentity-basedpublic keyspublic keys

4. Challenge ciphertext4. Challenge ciphertext

5. Result of decryption with5. Result of decryption withprivate keyprivate key

ID ID AuthorityAuthority


Related workRelated work

Anonymous credentials [Camenisch Lysyanskaya 01] Anonymous credentials [Camenisch Lysyanskaya 01] [Camenisch Herreweghen 02][Camenisch Herreweghen 02]

Federated ID management models [Camenisch et al 05] Federated ID management models [Camenisch et al 05] [Bhargav-Spantzel Squicciarini Bertino 05] [Bhargav-Spantzel Squicciarini Bertino 05] [Pfitzmann Waidner 03][Pfitzmann Waidner 03]

Web service framework [Bonatti Samarati 02]Web service framework [Bonatti Samarati 02] Identity theft detection [van Oorschot Stubblebine 05]Identity theft detection [van Oorschot Stubblebine 05] Identity-based encryption [Boneh Franklin 01]Identity-based encryption [Boneh Franklin 01] SAML [OASIS], WS-Federation [IBM et al]SAML [OASIS], WS-Federation [IBM et al]


ConclusionsConclusions

Notarized federated identity management is a solution Notarized federated identity management is a solution for establishing trust in web servicesfor establishing trust in web services

Notary server provides an anchor of trustNotary server provides an anchor of trust Notarized FIM protocol provides accountability, privacy, Notarized FIM protocol provides accountability, privacy,

and secrecy for participantsand secrecy for participants IBE-based credentials and exchanges hold promises for IBE-based credentials and exchanges hold promises for

identity theft solutionsidentity theft solutions


AcknowledgementsAcknowledgements

David Croston at IAM Technology, IncDavid Croston at IAM Technology, Inc



Generations of the modelGenerations of the model

UserUser

IdPIdP


2. S_ID, attr. names2. S_ID, attr. names








S_ID: One-time session IDS_ID: One-time session IDHashed_ID: hashed S_IDHashed_ID: hashed S_IDAttr. Name: name of attribute required by SePAttr. Name: name of attribute required by SeP

Optional pathOptional path

Notary Notary ServerServerNotary Notary

ServerServer

SeP BSeP B

SeP A SeP A

Documents

Notarized Federated Identity Management for Web Services Michael T. Goodrich Roberto Tamassia Danfeng Yao Brown University University of California, Irvine