Identity A desiderata for the Next Generation Internet
Download
Report
Transcript Identity A desiderata for the Next Generation Internet
Identity A desiderata
for the Next Generation
Internet
presented by
Pat Burke and Christian Loza
University of North Texas
at the “Seminar II, Saturday October 6, 2005”
Biometric ID
Problem Definition
Conventional password security is NOT secure
because passwords tend to be:
Easily guessed
Forgotten
Written down in easily accessible locations
Shared with a friend
Common for a given user across a wide range of
applications/systems
2
Biometric ID
Problem Definition
Biometric Identification is one possible solution to the
user authentication problem
Biometric ID refers to verifying individuals based on
their physical and behavioral characteristics such as
face, fingerprint, hand geometry, iris, keystroke,
signature, voice, and even body odor. [7]
Two proposed Biometric ID solutions will be
presented:
Robust hashing with a one-way transformation [8]
Multimodal Biometric ID [9]
3
Biometrics ID
Problem Definition
Biometric data has some shortcomings:
If compromised, cannot be reset
Storing of actual biometric templates should be
avoided
Variability of biometric data precludes the use of
exact matching hashing algorithms such as MD5 and SHA-1 [8]
“Fuzzy” logic must be employed in evaluating the
biometric input
4
Biometric ID
Background
Enrollment and Authentication Process
5
Biometric ID
Background
KEY METRICS
False Acceptance Rate
How many unauthorized individuals gain access due
to biometric features similar to an authorized user
MUST
BE MINIMIZED to maintain security
MUST BE ZERO for some security applications
False Rejection Rate
How many authorized individuals are denied access
due to the inability to match their input with their
biometric template.
This
is an inconvenience, but not a security problem
6
Biometric ID
Background
OTHER METRICS
Time required for the enrollment process
Time required for the verification process
Computer resources utilized for the security
system
Memory
Algorithmic efficiency (CPU time)
7
Robust Hashing
Is it possible to design a robust hashing
algorithm such that the hashes of two close
inputs are judged identical while those inputs
which are not so close will give completely
different outputs?
“Features” of the biometric data are selected
based upon the type of biometric data chosen
During enrollment, “enough” samples are
acquired from each user to obtain a range
value (2δ) for EACH feature value.
8
Robust Hashing
A unique hash value is then assigned to EACH
feature and stored (encrypted) for verification
A Gaussian function is then fitted to the data for
each feature which results in the assigned
hashed output value.
The Gaussian function is then combined with
“fake Gaussian peaks” to hide the true input,
resulting in a non-invertable one-way
transformation
9
Robust Hashing
Parameters of the Guassian noninvertable transforms are stored on
“smartcards” of some sort which
the user must present at
authentication time.
TRUE GUASSIAN FUNCTION (red)
10
Robust Hashing
USER AUTHENTICATION
11
Robust Hashing
Tested against the OLR Database of Faces
available at
http:/www.uk.research.att.com/facedatabase.html
Consists of 10 different images taken under extensively
varying conditions of 40 distinct subjects
6 of the images for each individual was used in the
enrollment phase
The remaining 4 were used in the test sets
20 features were selected
Tests were conducted with 5% and 10% tolerance factors
for the inputs to account for variation in the non-enrolled
faces
12
Robust Hashing
Tested against the OLR Database of Faces
available at
http:/www.uk.research.att.com/facedatabase.html
Consists of 10 different images taken under extensively
varying conditions of 40 distinct subjects
6 of the images for each individual was used in the
enrollment phase
The remaining 4 were used in the test sets
20 features were selected
Tests were conducted with 5% and 10% tolerance factors
for the inputs to account for variation in the non-enrolled
faces
13
Robust Hashing
TEST RESULTS
FALSE REJECTION RATE
How many GOOD GUYS could not get in
15 subjects were correctly
identified on 4/4 images
with a 10% tolerance
factor.
1 subject was NEVER
correctly identified using
ANY of the 4 images with
a 10% tolerance factor.
FALSE ACCEPTANCE RATE
How many BAD GUYS COULD get in
12 subjects who were
NEVER falsely admitted
using ANY another
person’s credentials with a
5% tolerance factor.
25 subjects WERE
authenticated using at
least 4 other individual’s
credentials at a 10%
tolerance factor.
14
Multimodal
Description of the Dialog Communication
System’s BioID commercial user-authentication
system
In use in many systems worldwide
Uses three different sources of biometric data
to achieve better accuracy than a single feature
system
Voice – using a user-resetable “password”
Lip Movement – using the same password
Facial Data
15
Multimodal
During enrollment, biometric templates are collected
for each biometric feature
For authentication, the system compares these
templates against the biometric input
The client sets the recognition threshholds for each of
the features independently to achieve the desired
level of security. [9]
16
Multimodal
FACE PROCESSING [9]
Original image
Edge-extracted
image
Face Model
Face model
overlaid on the
edge-extracted
image
17
Multimodal
FACE PROCESSING
Samples of extracted faces: BioID
scales all faces to the same size
and crops the images uniformly for
easier comparison. This photo
collection shows 12 individuals.
Note the uniformity that the system
achieves. [9]
18
Multimodal
TEST RESULTS
Live Test using 150 individuals for 3 months
“False-acceptance rate significantly below 1
percent, depending on the security level.
19
Pro’s and Con’s
ROBUST HASHING
PRO
CON
Scalable – easy to
add new users
Secure – lost or
stolen ID card not
likely to compromise
security of the
system
Flexible – can be set
up using other
features than
fingerprints
Test results not good
Intelligent attacker
may be able to fool
system with brute
force guessing
Much research left to
make the system
more secure (fewer
FAR violations)
20
Pro’s and Con’s
Multimodal BioID
PRO
CON
Scalable – easy to
add new users
Secure – lost or
stolen ID card not
likely to compromise
security of the
system
Flexible – feature
values can be
manipulated to meet
security needs
Stable product
Multiple Bio sources
make it more secure
21
Conclusion
Biometrics is a current area of intense research
Multiple Bio-sources should yield a more
desirable product
22
IDENTITY
Second Part:
Federated Systems, Identity Management
23
Desiderata
Desiderata
What we want
Federate Identity across organizations
maintaining access rights and privileges
Web-based Federated Identity integrated with
Web-based privilege management systems
One identity, multiple roles across
organizations. Trust management and
Information sharing between trusted
organizations
24
Desiderata
Desiderata
NSF: About the Next generation Internet: In the
context of the GENI Research Program
“Creating new core functionality: Going beyond
existing paradigms of datagram, packet and
circuit switching; designing new naming,
addressing, and overall identity architectures,
and new paradigms of network management;”
“Building higher-level service abstractions:
Using, for example, information objects, locationbased services, and identity frameworks;”
25
Desiderata
Desiderata
Microsoft Research: In the context of The Next
Generation Internet
“.NET Building Block Services. A new family of
highly distributed, programmable developer
services that run across standalone machines, in
corporate data centers and across the Internet.
Services include Identity, Notification and
Messaging, Personalization, Schematized
Storage, Calendar, Directory, Search and
Software Delivery.”
26
Federated Identity
Proposal
Towards Improved Federated Identity And
Privilege Management System in Open Systems
Bhatti, Bertino and Ghafoor
SSO Single sign on
Effective access control
Decentralized model
Authentication for estrangers
Trust, Anatomy and Privacy
Standardized Approach
27
Proposed Approach
Proposal
Proposed Approach
28
Proposed Approach
Proposal > Other approaches
The other approaches
Earlier Authentication/Authorization mechanisms
(IAPM, XECB… etc).
X.509
X.509 PKI + PMI
Kerberos
29
The Earlier approach
Proposal > The Earlier approach
Scheme #Pases
Probably Assoc
Secure Data
Paralleliza
On-Line
ble
IAPM
1
XECB
1
OCB
1
CCM
2
EAX
2
CWC
2
Helix
1
SOBER128
1
PatentFree
30
Problems of Earlier Approaches
Proposal > Problems of all Traditional Approaches
Distributed
Solution
Scalability
Distributed
Privilege
Management
Previous
Authentication
Approaches
Ideal Solution
31
Credentials Based Systems
Kerberos > Credentials Based Systems
• Kerberos
Authorization? Privilege ?
Distributed
Scalable
Proposal
Kerberos
32
Credentials Based Systems
Kerberos > Credentials Based Systems
• Kerberos
• Based on Tickets
• Centralized
• Initiates getting a initial
ticket
• With the ticket, it can
request services
33
Credentials Based Systems
Kerberos > Credentials Based Systems
• Kerberos
• The authentication
process can run in both
Master and Slaves
machines
• The slaves are read-only
• The KDBM manages
changes of passwords.
WHY?
34
Credentials Based Systems
Kerberos > Credentials Based Systems
• Kerberos
• The changes can be
introduced in the KDBM
• Each Kerberos has a
realm master machine
• You can have additional
master machines
35
Kerberos
Kerberos > Credentials Based Systems
Authorization
Authorization
Authentication
Authentication
CREDENTIALS
BASED ON
IDENTITY
I know WHO you are,
therefore, I know what
you are allowed to do.
Kerberos
CREDENTIALS
BASED ON
ROLES
I know WHAT
role you are
allowed to play
Desiderata
36
Credentials Based Systems
X.509 > Credentials Based Systems
• X.509
Authorization? Privilege ?
Distributed
Scalable
Proposal
X.509
?
?
37
Credentials Based Systems
X.509 > Credentials Based Systems
Proposal
X.509
Authorization
Authorization
Authentication
Authentication
CREDENTIALS
BASED ON
ROLES
BINDS
Credentials to
a KEY
CREDENTIALS
BASED ON
ROLES
BINDS
Credentials to
Role
38
Credentials Based Systems
X.509 > Credentials Based Systems
Proposal
X.509
Authorization
Authorization
Authentication
Authentication
CREDENTIALS
BASED ON
ROLES
BINDS
Credentials to
a KEY
CREDENTIALS
BASED ON
ROLES
BINDS
Credentials to
Role
39
Credentials Based Systems
X.509 > Credentials Based Systems
• X.509 PKI + PMI
40
Credentials Based Systems
X.509 > Credentials Based Systems
• X.509 PKI + PMI
41
Credentials Based Systems
Authentication Schemes > Credentials Based Systems
• X.509 PKI + PMI
42
Proposed Approach
Proposed Approach
43
Proposed Approach
Proposed Approach
44
Proposed Approach
Proposed Approach
XKMS, the four corner approach
45
Proposed Approach
Proposed Approach
46
Federated Identity
XML Public Protocols
Proposed Approach
SAML (Security Assertion Markup Protocol)
XML based
Avoid limitations of cookies
SSO Interoperability: Different implementations
can be compatible
Web Services: Suited to work on browser
environments
Federations: Can simplify Federation usability
47
Proposed Approach
Proposed Approach
48
Proposed Approach
Proposed Approach
XML Key Signature /
49
Desiderata
Proposed Approach
1. Request page
2. Auto redirect
7. Request page
w/credentials
8. Set ticket
4. Request credentials
Roles
3. Redirect
5. Login
6. Redirect w/tickets in header
50
Conclusions
Conclusions
What we have (or will have)
Federate Identity across organizations
maintaining access rights and privileges ?
Web-based Federated Identity integrated with
Web-based privilege management systems ?
One identity, multiple roles across
organizations. Trust management and
Information sharing between trusted parties ?
51
Conclusions
Conclusions
What we have (or will have)
Federate Identity across organizations
maintaining access rights and privileges
Web-based Federated Identity integrated with
Web-based privilege management systems
One identity, multiple roles across
organizations. Trust management and
Information sharing between trusted parties
52
Questions
Questions
A Similar Distributed System is already in use
and implemented. Can you tell which system
we are talking about?
Can you tell the differences between the desired
approach and the actual schema?
Can you point which are the features that have
to change? (think about the actual problems)
53
References
References
1.
J. Black, “Authenticated Encryption”, November 2003.
2.
www.w3.org XKMS Specification
54
Introduction
The Internet has changed the way we do
business forever.
In the cyberspace, our Identity has changed
too, and a Digital Identity has emerged.
Identity can be defined as a set of
characteristics that uniquely identifies us (or a
digital entity)[1].
55
Introduction
CONCEPTS
Identity: Set of characteristics that identifies a
given entity.
Identification: Recognizing someone as a
specific individual.
Authentication: Process to make sure the
Identification is valid.
Authorization: Set of resources given to a
certain entity, based on the identity.
56
Introduction
In the physical world,
users can be identified
by physical
characteristics, such
as hair color, height,
skin color, etc.
In the Internet, users
are identified by set’s
of information, such as
SSN, Name, Credit
Card number,
Address, Phone
number, etc.
57
Introduction
Most of the services has gone to the Internet
Electronic Commerce
Electronic Government
Electronic Learning
Electronic Marketing
Electronic Publishing
58
Introduction
To interact in the Internet with this service
providers, the people use their Digital Identity.
59
Introduction
One of the drawbacks from human centric
electronic interactions is the fuziness of the
image of the other partner over the network
?
60
Introduction
Ensuring security and privacy in a distributed
communication system as the Internet is
crucial.
Crimes related to Identity theft have become a
major treat to the growth of the commerce over
the Internet.
61
Introduction
Identity-related misuse and concerns[2]
Identity theft: Someone wrongfully obtains and
uses other person’s personal data in some way
that involves fraud or deception[3].
Malicious change of Information: Someone
changes wrongfully personal information of
somebody else or to himself to do harm or self
benefit.
Secondary use: Somebody impersonates
someone else for personal benefit.
And the list keeps growing
62
Federated Identity
Some facts
Below are some institutions and people
believed to be victim’s of Identity theft.
Bill Gates
CIA, NASA, Justice Department
Wells Fargo
Bank of America
Ebay
UNT?
63
Problem Definition
The Identity has bring more complexity to the
business model
Any person may be using now multiple
identities to access multiple services providers
on the Internet
Multiples identities mean also redundant costs
and increasing problems
64
Problem Definition
One of the technologies that has emerged to
solve the increasing complexity of Identity
management across multiple organization is
the Federated Identity
65
Problem Definition
Federated Identity is a digital credential
analogous to a country passport[4]
Trust negotiation model: Is the gradual
interchange of credentials between two entities,
with the goal to establish Trust, and finally
exchanging resources
Our task is to review proposals of designs of
an efficient scheme of such Federation
interchange
66
Problem Definition
Different sets of information from the Identity
may be needed by different organizations
67
Federated Identity
A
Name
Address
Phone Number
PO Box
SSN
B
Name
Address
Phone Number
PO Box
SSN
Credit Card
Billing Address
C
Name
Address
Phone Number
PO Box
SSN
Credit Card
Passport
Number
A
Name
Address
Phone Number
PO Box
SSN
B
Credit Card
Billing Address
C
Passport
Number
68
Federated Identity
Credentials negotiation
Disclosure policies
Credentials combinations are required for
disclosure of sensitive information
Negotiation between User and Service
Providers, and among Service Providers.
69
Federated Identity
Scalability
KEY CONCEPTS for Scalability of Federated
Identity
Has to work with Browser as the client side
software
Centralized Approach
Identity or Capability-based credentials
70
Federated Identity
Scalability
71
Federated Identity
Privilege management
Both, Federated Identity and Privilege
Management are cornerstones of a
Management Framework
A mechanism for Federated Identity and
Privilege Management should satisfy at least
eight requirements:
72
Federated Identity
Requirements
1.
SSO Single sign on
Persistency of user identity across the
enterprise domains, and allows user to transfer
their authorizations across multiple points of
policy enforcement
2.
Effective access control
The access control should be fine grained to
dynamically evolve enterprise resources.
73
Federated Identity
Requirements
3.
Decentralized model
The system should not rely on a centralized
access point, instead, should be distributed
4.
Authentication for estrangers
In the new distributed Internet environment,
there is no more the concept of advanced
knowledge of identities or capabilities.
74
Federated Identity
Requirements
5.
Trust, Anatomy and Privacy
Privacy protection is becoming an increasing
concern, both from social and legal perspective.
Is a compromise, since avoiding name-binding,
complicates trust establishment.
6.
Standardized Approach
The solution should has the capability to be
integrated with other systems, using existing
accepted standards.
75
Federated Identity
Requirements
7.
Browser Based
Nobody wants to install client side applications
8.
Technologies issues
Cookies and JavaScript are been used.
Nevertheless, they have been proved to be a
security problem, even though, they are better
than the other options
76
Federated Identity
Ideal Scheme
1. Request page
2. Auto redirect
7. Request page
w/credentials
8. Set ticket
4. Request credentials
3. Redirect
5. Login
6. Redirect w/tickets in header
77
Federated Identity
Examples
MSN Passport
Kerberos
Developed by MIT
X.509
Developed by Microsoft
Network Working Group
Certificate Management Protocol
RBAC
Research Proposal
78
Federated Identity
MSN Passport
1. Request page
2. Auto redirect
7. Request page
w/credentials
8. Set cookie
4. Request credentials
3. Redirect
5. Login & passport
6. Redirect w/tokens in header
79
Federated Identity
MSN Passport
Centralized Model
Credentials and no Tickets
Used to authenticate users of Hotmail and
MSN Messenger. Other users include Zurich,
GMAC
The biggest Federated Identity system is
Passport, from Microsoft
80
Federated Identity
MSN Passport
Process 3.5 billion authentications each month
Uses XML as the core
Uses SSL
The Passport requires triple DES keys with
each organization.
The keys must be generated securely, and
given to the merchants out of band.
Some keys were broken because the poor
randomness of the keys generated
81
Federated Identity
MSN Passport - Problems
Centralized point of attack, against the
distributed nature of Internet. Vulnerable to
DoS attacks
Due to the cookies architecture, a Service can
impersonate MSN Passport and delete all the
cookies in the clients (used to DoS attacks).
JavaScript and cookies technologies have
been proved to be insecure technologies.
82
Federated Identity
MSN Passport - Problems
Bugs have a great Impact
MSN found problems many times, bringing down
all services depending on Passport
One example was a failure on the Password
resetting mechanism
83
Federated Identity
Kerberos
1. Request page
2. Auto redirect
7. Request page
w/credentials
8. Set ticket
4. Request credentials
3. Redirect
Symmetric
5. Login
6. Redirect w/tokens in header
84
Federated Identity
Kerberos
Developed by MIT’s project Athena
Allow mutual authentication and secure
communications over the network
Uses symmetric key encryption, and
authentication credentials
Authentication credentials are based on
identity, and are suited for access control lists.
Main problem for Identity Management are
centralization, and name biding.
85
Federated Identity
Kerberos - Problems
Kerberos is Identity Based, which gives
problems for scalability. Key concept: avoid
name-binding
Suitable for access roles. Nevertheless,
symmetric keys are not suited for Federations
and Distributed Identity Management
86
Federated Identity
X.509
1. Request page
2. Auto redirect
7. Request page
w/access privileges
8. Set privileges
4. Request credentials
3. Redirect
Asymmetric
5. Login
6. Redirect w/tokens in header
87
Federated Identity
X.509
X.509 is a Certificate Scheme for
Authentication
Based on Public Key Infrastructure (PKI)
The Access Control Credential is called
Attribute Certificate
Asymmetric authentication
Integrated approach of Authentication and
Authorization
88
Federated Identity
X.509 Problems
Integrated approach of Authentication and
Authorization, which is, not good in all contexts.
This is because not all the system-specific
capabilities may be know in advance.
Access control credentials is not sufficient to
meet effective Access Control requirements.
Key concept: Not Scalable
89
Identity
Role-Based Access Control (RBAC)
Current Enterprise solutions employ a
combination of physical security, passwords,
and Role-based Access Control to ensure the
identity of a user
Physical security and passwords protect the
system from intrusion.
Role-based Access Control limits access to
documents and data based on a “need to
know” basis
90
Identity
Role-Based Access Control (RBAC)
Access rules are established with sets of
access pairs which associate users and their
corresponding permissions:
(user, permissions)
While RBAC is supported by many specific
application packages (Oracle and Sybase, for
example), the method will be described with a
brief look at XML
91
Federated Identity
XML Public Protocols
SAML (Security Assertion Markup Protocol)
XML based
Avoid limitations of cookies
SSO Interoperability: Different implementations
can be compatible
Web Services: Suited to work on browser
environments
Federations: Can simplify Federation usability
92
Federated Identity
XML-Based Doc Security
X-Sec [5] is one notional XML-Based control
system with the following component:
Credential-types (ct) – defined user type
definitions
Example: manager, customer, carrier
(nct, Pct) where n is the name of the credential and P
is the set of property specifications for the ct.
XML credential-type and corresponding graph representation [5]
93
XML-Based Doc Security
X-Sec Components (cont)
Credential – an instantiation of a credential-type
Specifies the set of properties values characterizing a
given subject against the credential-type itself
Physical credentials are certified by the credential
issuer
XML credential and corresponding graph representation [5]
94
XML-Based Doc Security
X-Sec Components (cont)
Security Policy Base Template – Specifies
credential-based security policies based on
enterprise protection requirements
Documents to which the policy applies
Portions of documents within target documents
Access Modes
Propagation mode for the policy
95
XML-Based Doc Security
X-Sec Components (cont)
Security Policy Base Instantiation
Example (below)
Secretaries in sales can access and modify all
purchase order documents
UPS employees can access information about the
customer, carrier, and order id.
96
XML-Based Doc Security
Assessment
PRO:
Highly available in commercial
products
Easy to set up
Training is readily available
Highly effective in a CLOSED and
TRUSTED environment
CON:
Often difficult to REMOVE users
Impractical in an open user
environment
Not a long-term Internet
solution
Passwords can be stolen,
resulting in unauthorized access
Periodic password changes
make remembering
passwords difficult
Left to their own devices,
people tend to choose
passwords that are easy to
guess
97
Biometrics
DEFINITION
Any and all of a variety of identification techniques which
are based on some physical, or behavioral
characteristics of the individual contrasted with the larger
population. Unique digital identifiers are created from the
measurement of this characteristic.
Physiological Biometrics
Fingerprints, hand and/or finger geometry, eye (retina or iris),
face, and wrist (vein)
Behavioral Biometrics
Voice, signature, typing behavior, and pointing
98
Biometrics
OVERVIEW
User digital template is created during an
“enrollment period” and stored in a database
On attempted verification, the relevant template
is extracted, compared with the data input
ATM card is still required to point at the correct
digital template
Verification is based on statistical techniques of
comparison between the two
99
Biometrics
Some devices to use Biometrics
10
Benchmarks
The eight points can be used to measure if an
Identity Management Protocol is suited for
scalability and Federated use.
Browser features can be used as a metric: Use
of cookies, use of JavaScript, use of XML
10
Biometrics
Benchmarks
BENCHMARKS for Biometrics
Template size
Speed of enrollment
False Accept Rate
False Reject Rate
10
Biometrics
Benchmarks
ASSESSMENT
PRO
CON
When it works, it works best
Generally acceptable in
controlled group settings
Bad user perceptions
May be misused
May harm eyes
Input quality degrades with
age
Unacceptable False Reject
Rates
17% - facial
10% - finger swipe
10
Conclusions
Identity is a key issue on Next Generation
Internet
Any new or already proposed scheme for
Identity Management should address the eight
points exposed at least
All the Identity Management should work with a
Browser in the client side
10
Conclusions (cont)
Identity Management paradigms that ensure
“you are you,” as opposed to “you are who you
say you are” are absolutely critical to the future
of e-commerce and electronic information
sharing
Federal Identity can only be successful if the
services are decentralized
Not an easy task
10
Conclusions (cont)
Access control systems will continue to provide
enterprise solutions for controlled areas for the
foreseeable future
Biometrics appears to be the only real solution
on the horizon, but it is not yet reliable enough
for use in the general world population.
10