e gov security_tut_session_9
DESCRIPTION
TRANSCRIPT
1PalGov © 2011
أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Sessions 9
2PalGov © 2011
About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
University of Trento, Italy
University of Namur, Belgium
Vrije Universiteit Brussel, Belgium
TrueTrust, UK
Birzeit University, Palestine
(Coordinator )
Palestine Polytechnic University, Palestine
Palestine Technical University, PalestineUniversité de Savoie, France
Ministry of Local Government, Palestine
Ministry of Telecom and IT, Palestine
Ministry of Interior, Palestine
Project Consortium:
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 [email protected]
3PalGov © 2011
© Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
4PalGov © 2011
Tutorial 5:
Information Security
Session 9: Federated Identity Management
(FIM)
Session 9 Outline:
• Session 9 ILO’s.
• Federated Identity Management.
5PalGov © 2011
Tutorial 5: Session 9: (FIM) - ILOs
This session will contribute to the following
ILOs:• A: Knowledge and Understanding
• Understanding of the concepts underlying Secure Information
Systems.
• Have an understanding of the various techniques used in
identity management;
• Understand the motivation, design, operation and management
of modern systems for encryption, authentication, authorization
and identification.
• B: Intellectual Skills• Design end-to-end secure and available systems.
• The ability to analyze the information security requirements of
an organization.
• D: Intellectual Skills• Analysis and identification skills.
6PalGov © 2011
Tutorial 5:
Information Security
Session 9: Federated Identity Management
(FIM)
Session 9 Outline:
• Session 9 ILO’s.
• Federated Identity Management.
7PalGov © 2011
Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies, MS Passports and
Captchas.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
8PalGov © 2011
Introduction (1)
• Many recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine.
• Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other.
9PalGov © 2011
Introduction (2)
• Need to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise
• Example: the driving license renewal example given in tutorial 1.
10PalGov © 2011
Introduction (3)
• Security and privacy of information are major impediments to information exchange and system interoperability
• Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries
• Expensive, frustrating for users, and not scalable
11PalGov © 2011
Federated Identity Management.
• Introduction
• Overview of HTTP
authentications and Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
12PalGov © 2011
But first some background info HTTP
Cookies
• Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser
• A site can store many cookies, and the client should return them all when it returns to the site
• Often used to enable SSO, since the site can tell if a user is already authenticated or not
13PalGov © 2011
HTTP Redirect and Form-POST
• Http Redirect – allows one server to pass information to another server via the browser, as info in a URL
• Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server
14PalGov © 2011
Privacy Protection -
• User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites)
15PalGov © 2011
CAPTCHAs
• Completely Automated Public Turing test to tell Computers and Humans Apart
• Designed to stop automated user registration programs and possible DOS attack by flooding registration process
• User is asked to type in some characters, that most programs are incapable of reading
16PalGov © 2011
Federated Identity Management.
• Introduction
• Overview of HTTP authentications
and Cookies,
• Trust Domains and Access
Cases.
• FIM Definitions and Concept
• FIM examples
17PalGov © 2011
Trust Domains Definition
Trust domains describe the boundaries of a security
infrastructure operating under a consistent set of
policies, governance, and technology mechanisms.
Trust Domain 1
Trust Domain 2
?
18PalGov © 2011
Problems with Trust Domains
Problem:
•Authentication and Authorization are
typically recognized only within a
given trust domain, unless.....
What is required to achieve
interoperability across different Trust
Domains?
19PalGov © 2011
Different Access Cases
•Case 1 : One user Access one
application or service.
•Case 2: One user accessing many
applications
•Case 3 :Many users accessing many
applications
20PalGov © 2011
Case 1:
Steps in provisioning access:
• Vetting (who are you?)
• Permissions (what can you
access?)
• Credentials (how do I know it’s
you? – passwords, smart cards,
etc.)
Access requires authentication of
credentialsApplication and
Services
One user accessing one application
21PalGov © 2011
Case 2:
Steps in provisioning access:
• Vetting
• Permissions
• Credentials
RESULT:
• Each application must perform all steps above
• User must keep track of N sets of credentials
× N
One user accessing many applications
22PalGov © 2011
Case 3:
Steps in provisioning access:
• Vetting
• Permissions
• Credentials
RESULTS:
• Multifactor credentials & vetting become too expensive
• Vetting & credentials not done well.
• Vetting too far from user to be kept up to date effectively
• High barrier to access
× M × NToo many
operations!!
Many users accessing many applications
23PalGov © 2011
If not checked correctly !!!
1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM
24PalGov © 2011
Proposed Solution (1)
Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users)
Applications make access and authorization decisions based on trusted federation credentials and user attributes
25PalGov © 2011
• Huge savings in vetting and credentialing M<<M×N
• Vetting is better – closer to the user since own organization does vetting
• Credentialing is better – can afford multifactor
• Each users only needs one credential (Single sign-on)
• Lower barriers to access – more access.
Proposed Solution (2)
26PalGov © 2011
Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
27PalGov © 2011
• Identity:– A whole set of attributes that in combination uniquely characterise
a person
– hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc.
• Attribute:– a property, quality or characteristic of an entity
• Identifier:– a string used to uniquely identify an entity in a domain. Often
used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain.
– X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers.
Some Definitions
28PalGov © 2011
• Attribute assertion:– Statement made by an authority that an entity has a
particular attribute. An authority can be the entity itself or a (trusted) third party.
• Attribute certificate/authorisation credential:– Cryptographically protected (usually digitally signed)
attribute assertion that can be validated
• Attribute authority (AA):– An authoritative source for asserting attributes about
entities
• Service provider:– An entity that provides a service to clients
• Identity provider:– An entity that provides an authentication service, and is
often also an AA for a set of identity attributes of its users
Some Definitions (2)
29PalGov © 2011
FIM Definition
From the RSA Web Site
• “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.”
• “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.”
30PalGov © 2011
• From Microsoft’s web site
• “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.”
• From IBM Tivoli’s web site
• “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”.
• SO WHAT IS FIM?
FIM Definition (cont)
31PalGov © 2011
FIM Process
• Identifiers are assigned within a domain to
uniquely identify an entity. They usually have no
meaning outside of the domain of issuance
• FIM requires identity information to be passed
between domains, therefore
– We need to pass (signed) attribute assertions between
domains in order to identify and authorise users
between domains.
– FIM is not just Single Sign On, although SSO is part of
FIM. Why?
32PalGov © 2011
A better FIM Definition
• A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources
• A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation
• Can we use it for e-gov in Palestine !!
33PalGov © 2011
User-to-Application
34PalGov © 2011
System-to-System
35PalGov © 2011
Credentials
• Authentic credentials are ones that
have not been tampered with and
are received exactly as issued by
the issuing authority
• Valid credentials are ones that are
trusted for use by the target
resource site
36PalGov © 2011
Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM Examples.
37PalGov © 2011
FIM Examples
• Old Systems– Microsoft’s Passport
– UK Athens
• Current FIM Systems– Shibboleth
– Oauth
– Liberty Alliance
– Cardspace
– Higgins
– OpenID
38PalGov © 2011
Exampe1: Microsoft’s .NET Passport
• .NET Passport is an authentication system that allows users to access multiple sites using the same credentials
• Each site remains in charge of its own authorisation, and may use Passport information to help in this
• How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly.
39PalGov © 2011
The Registration Process
Passport site stores user
credential and profile
information, and allocates
the user a unique 64 bit
Passport User ID (PUID)
40PalGov © 2011
Credentials referenced by Passports UID
• The following are mandatory: e-mail address (unique identifier) and password
• The following are optional: secret questions and answers, mobile phone number and PIN, security key
• The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in– Birth Date, Country / Region, First Name, Gender, Last Name,
Occupation, Postal Code, Preferred Language, State, Time Zone
41PalGov © 2011
.NET Passport Authentication
42PalGov © 2011
Intra-Site Authentication Process
• When a user moves to another Participating
Site (step 1), the site redirect the user to the
Passport site (step 2)
• The user’s client sends the Authentication
cookie and Profile cookie to Passport during
redirection. Passport then knows the user
has already successfully authenticated
(modified step 2)
43PalGov © 2011
Intra-Site Authentication Process
• The Participating Sites cookie on the user’s
machine is updated by Passport and the user
is redirected back to the Participating Site
(step 5)
• The Participating Site receives the encrypted
tokens from Passport and knows the user has
been authenticated (step 6)
• When the user logs out of Passport, all
cookies are deleted and the Participating Sites
cookie is used to clean up all Participating
sites computers
44PalGov © 2011
Disadvantages of MS Passport ?
• Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users.
• Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies.
• Also the protocol used by Passport was developed by Microsoft therefore was not an international standard.
• Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID
45PalGov © 2011
Example 2: Shibboleth
• Internet2 consortium project
• Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site
• provides users access to remote resources
46PalGov © 2011
Shibboleth Access Stages
• Obtaining an authentication assertion for a user from his home site (IdP)
• Using this to get a set of attribute assertions for the user
• The two messages can be combined into one exchange to make the protocol more efficient
47PalGov © 2011
User Authentication using Shibboleth [2]
User
Authentication
Service
SHIB SP
WAYF
Attribute
Authority
Web Service
5.
Signed
Authn
Assertion
Identity Provider
6.
48PalGov © 2011
The WAYF Service
49PalGov © 2011
Authorization using Shibboleth [2]
User
Authn
Service
SHIB SP
AA
Server
Web Service
SHIB IdP
Authz
service
9. Attributes10.
50PalGov © 2011
Shibboleth disadvantages
• Single attribute authority to the service provider
• Subject to phishing attacks.
• No single sign off
• Credentials can be stolen from a browser and used by an imposter.
• Shibboleth cannot be used for services that need to know who the user is for service personalisation.
51PalGov © 2011
Bibliography
1. John Wandelt, Georgia Tech
Research Institute (GTRI), August
2007, www.it.ojp.gov/GFIPM
2. Lecture Notes by David Chadwick
2011, True-Trust Ltd.
3. http://shibboleth.internet2.edu/
52PalGov © 2011
Summary
• In this session we discussed the
following:
– Federated Identity Management with
different examples.
53PalGov © 2011
Thanks
Dr. Radwan Tahboub