Upload
faysal-boukayoua
View
925
Download
0
Embed Size (px)
DESCRIPTION
This paper proposes a hybrid approach that combines claim-based and network-based identity management. Partly by virtue of the principle of separation of concerns, better security and privacy properties are attained. Overall trust is diminished, while simultaneously reducing multiple actors' exposure and value as a target of attack. The proposed architecture also facilitates interoperability and pluralism of credential technologies, authentication protocols and operators. In addition, the user has more control over his personal data than with current network-based identity management systems. A prototype demonstrates the feasibility of the proposed approach.
Citation preview
Claim-based versus network-based
identity management: a hybrid
approach Faysal Boukayoua MSEC research group KaHo Sint-Lieven, Ghent MOBISEC, Frankfurt am Main June 25-26, 2012
Overview
• Introduction
• Motivation
• Architecture
• Prototype
• Evaluation
• Future work
2
Introduction: identity management
Admini-stration
Management &
maintenance
Communi-cation & discovery
Correlation & binding
Policy enforcement
Authenti-cation & assertion
Goals:
• Identity assurance
• Enable business & security applications
Loosely based on the ITU Y.2720 standard
3
Introduction: network-based identity
management
1. Request service
2. Authenticate at IdP
3. Return token
Based on The Identity Crisis: Security, Privacy and Usability Issues in Identity Management (Alpár et al)
4
Introduction: network-based identity
management
Examples
• Password-based Shibboleth
• Password-based OpenID
• Google ClientLogin
5
Introduction: claim-based identity
management
3. Supply claims
2. Send policy
1. Request service
Based on The Identity Crisis: Security, Privacy and Usability Issues in Identity Management (Alpár et al)
6
Introduction: claim-based identity
management
Examples
• eID technology
• Anonymous credential systems
• Standalone X509 certificates
7
Introduction: hybrid examples
• SAML authentication context classes:
▫ Smartcard PKI
▫ MobileTwofactorContract
▫ …
• Shibboleth and OpenID with alternative authentication
• eID authentication portals
8
Motivation: network-based IdM
1. Request service
2. Authenticate at IdP
3. Return token
Standardised protocols Widely deployed
9
Motivation: network-based IdM
1. Request service
2. Authenticate at IdP
3. Return token
Little change to user’s workstation
10
Motivation: network-based IdM
1. Request service
2. Authenticate at IdP
3. Return token
Phishing attacks Passwords: low security
11
Motivation: network-based IdM
1. Request service
2. Authenticate at IdP
3. Return token
Identity provider: Single point of failure Centralised storage High-value attack target Trust: monitoring, linking,
profiling
12
Motivation: claim-based IdM
3. Supply claims
2. Send policy
1. Request service
13
User-centric Consent Information flow
Motivation: claim-based IdM
3. Supply claims
2. Send policy
1. Request service
14
∃ privacy-preserving credentials Selective disclosure monitoring, linking, profiling New ones in development
Motivation: claim-based IdM
3. Supply claims
2. Send policy
1. Request service
15
eID infrastructure country-wide Large user-base Only country-wide standardisation & interoperability…
Motivation: other considerations
• Service provider
▫ Reliable user info
▫ Broaden user base
▫ Externalise IdM cost
• User
▫ Easily switch to other claim-based technologies
▫ Use credentials across services
16
User’s workstation
Architectural overview
Identity Provider
Service Provider 1
User Agent
Claim Provider 1
Claim Provider 2
Identity Broker
17
: added : discarded
Architecture: service provider
• Unmodified at protocol level
• Minor configuration required
▫ Prerequisite exchange (=required user attributes)
▫ @ trust establishment logic
18
Architecture: claim provider
• Claim issuance
• Storage of partial identities
• Multiple providers
• ∃ privacy-preserving credentials
19
Architecture: user agent
• Present claims to identity broker
• Claims management
• User feedback & consent
• Automated policies
• Phishing protection
• Various support functions
• ...
20
Architecture: identity broker
• Support claim technologies
• Authentication & assertion to service provider
• No attribute storage
▫ No storage-related user dependence generic functionality
• Privacy-preserving claim technologies
▫ monitoring, linking, profiling
21
Architecture: message flow
22
Claim Providers
User Agent
User’s workstation
Identity broker
Service Provider
a. Request credentials
b. Authentication
c. Issue credentials
1. Request service
2. Redirect
4. Assert attributes & redirect
4. Authentication
User’s workstation
Prototype
User Agent
Identity Broker
23
Claim Provider 1
Claim Provider 2
Service Provider 1
Prototype: user agent
• Samsung Galaxy S
• Android 2.3.4
• Tamperproof storage: Giesecke & Devrient Mobile Security Card
• 2 setups:
▫ Service accessed on smartphone
▫ Out-of-band authentication
24
Prototype: identity broker
• Claim technologies:
▫ Idemix
▫ Proof-of-concept IdM architecture
• Authentication & attribute assertion protocol:
▫ Shibboleth
▫ Service provider prerequisites in SAML metadata
▫ (others in progress)
25
Evaluation
26
Compared to network-based IdM
Compared to claim-based IdM
Phishing • Feedback on user agent • IdB configured in user agent
Feedback on user agent
IdP • Single point of failure • High-value attack
target
• Multiple IdBs (generic task) • User can select IdB • IdB stores no data
n/a (many issuers)
Interoperability
• SP protocol unchanged • Harness claim-based
credentials
• Credential use across services
• SP: broader user base at little cost • User: more services with same credentials
IdP: identity provider IdB: identity broker SP: service provider
Evaluation
27
Compared to network-based IdM
Compared to claim-based IdM
User consent User consent on user agent for each transaction
Transaction monitoring, linking, profiling
• Multiple IdBs • Leveraging:
• Selective disclosure • Pseudonymity • Anonymity
Additional user trust needed in IdB
IdP: identity provider IdB: identity broker SP: service provider
Future work: prototype
• Out-of-band session transfer
▫ Bluetooth
▫ NFC
▫ …
• Trust enforcement
▫ Middleware
▫ Browser hardening
• Other claim technologies
• Other authentication & assertion protocols
28
Future work: new concepts
• Tamperproof module in identity broker
▫ For less privacy-friendly technologies
▫ Enforce selective disclosure
• Identity broker entirely on smartphone
▫ Trust enforcement is paramount!
▫ Research mobile tamperproof modules
• Trust establishment strategies
▫ Without breaking standards?
29
Questions?
30