e gov security_tut_session_9

1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Sessions 9

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 [email protected]

http://www.egovacademy.ps/

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

4PalGov © 2011

Tutorial 5:

Information Security

Session 9: Federated Identity Management

(FIM)

Session 9 Outline:

• Session 9 ILO’s.

• Federated Identity Management.

5PalGov © 2011

Tutorial 5: Session 9: (FIM) - ILOs

This session will contribute to the following

ILOs:• A: Knowledge and Understanding

• Understanding of the concepts underlying Secure Information

Systems.

• Have an understanding of the various techniques used in

identity management;

• Understand the motivation, design, operation and management

of modern systems for encryption, authentication, authorization

and identification.

• B: Intellectual Skills• Design end-to-end secure and available systems.

• The ability to analyze the information security requirements of

an organization.

• D: Intellectual Skills• Analysis and identification skills.

6PalGov © 2011

Tutorial 5:

Information Security

Session 9: Federated Identity Management

(FIM)

Session 9 Outline:

• Session 9 ILO’s.

• Federated Identity Management.

7PalGov © 2011

Federated Identity Management.

• Introduction

• Overview of HTTP authentications,

Cookies, MS Passports and

Captchas.

• Trust Domains and Access Cases.

• FIM Definitions and Concept

• FIM examples

8PalGov © 2011

Introduction (1)

• Many recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine.

• Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other.

9PalGov © 2011

Introduction (2)

• Need to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise

• Example: the driving license renewal example given in tutorial 1.

10PalGov © 2011

Introduction (3)

• Security and privacy of information are major impediments to information exchange and system interoperability

• Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries

• Expensive, frustrating for users, and not scalable

11PalGov © 2011


• Introduction

• Overview of HTTP

authentications and Cookies.



• FIM examples

12PalGov © 2011

But first some background info HTTP

Cookies

• Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser

• A site can store many cookies, and the client should return them all when it returns to the site

• Often used to enable SSO, since the site can tell if a user is already authenticated or not

13PalGov © 2011

HTTP Redirect and Form-POST

• Http Redirect – allows one server to pass information to another server via the browser, as info in a URL

• Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server

14PalGov © 2011

Privacy Protection -

• User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites)

15PalGov © 2011

CAPTCHAs

• Completely Automated Public Turing test to tell Computers and Humans Apart

• Designed to stop automated user registration programs and possible DOS attack by flooding registration process

• User is asked to type in some characters, that most programs are incapable of reading

16PalGov © 2011


• Introduction

• Overview of HTTP authentications

and Cookies,

• Trust Domains and Access

Cases.


• FIM examples

17PalGov © 2011

Trust Domains Definition

Trust domains describe the boundaries of a security

infrastructure operating under a consistent set of

policies, governance, and technology mechanisms.

Trust Domain 1

Trust Domain 2

?

18PalGov © 2011

Problems with Trust Domains

Problem:

•Authentication and Authorization are

typically recognized only within a

given trust domain, unless.....

What is required to achieve

interoperability across different Trust

Domains?

19PalGov © 2011

Different Access Cases

•Case 1 : One user Access one

application or service.

•Case 2: One user accessing many

applications

•Case 3 :Many users accessing many

applications

20PalGov © 2011

Case 1:

Steps in provisioning access:

• Vetting (who are you?)

• Permissions (what can you

access?)

• Credentials (how do I know it’s

you? – passwords, smart cards,

etc.)

Access requires authentication of

credentialsApplication and

Services

One user accessing one application

21PalGov © 2011

Case 2:


• Vetting

• Permissions

• Credentials

RESULT:

• Each application must perform all steps above

• User must keep track of N sets of credentials

× N

One user accessing many applications

22PalGov © 2011

Case 3:


• Vetting

• Permissions

• Credentials

RESULTS:

• Multifactor credentials & vetting become too expensive

• Vetting & credentials not done well.

• Vetting too far from user to be kept up to date effectively

• High barrier to access

× M × NToo many

operations!!

Many users accessing many applications

23PalGov © 2011

If not checked correctly !!!

1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM

http://www.it.ojp.gov/GFIPM

24PalGov © 2011

Proposed Solution (1)

Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users)

Applications make access and authorization decisions based on trusted federation credentials and user attributes

25PalGov © 2011

• Huge savings in vetting and credentialing M<<M×N

• Vetting is better – closer to the user since own organization does vetting

• Credentialing is better – can afford multifactor

• Each users only needs one credential (Single sign-on)

• Lower barriers to access – more access.

Proposed Solution (2)

26PalGov © 2011


• Introduction


Cookies.



• FIM examples

27PalGov © 2011

• Identity:– A whole set of attributes that in combination uniquely characterise

a person

– hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc.

• Attribute:– a property, quality or characteristic of an entity

• Identifier:– a string used to uniquely identify an entity in a domain. Often

used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain.

– X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers.

Some Definitions

28PalGov © 2011

• Attribute assertion:– Statement made by an authority that an entity has a

particular attribute. An authority can be the entity itself or a (trusted) third party.

• Attribute certificate/authorisation credential:– Cryptographically protected (usually digitally signed)

attribute assertion that can be validated

• Attribute authority (AA):– An authoritative source for asserting attributes about

entities

• Service provider:– An entity that provides a service to clients

• Identity provider:– An entity that provides an authentication service, and is

often also an AA for a set of identity attributes of its users

Some Definitions (2)

29PalGov © 2011

FIM Definition

From the RSA Web Site

• “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.”

• “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.”

30PalGov © 2011

• From Microsoft’s web site

• “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.”

• From IBM Tivoli’s web site

• “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”.

• SO WHAT IS FIM?

FIM Definition (cont)

31PalGov © 2011

FIM Process

• Identifiers are assigned within a domain to

uniquely identify an entity. They usually have no

meaning outside of the domain of issuance

• FIM requires identity information to be passed

between domains, therefore

– We need to pass (signed) attribute assertions between

domains in order to identify and authorise users

between domains.

– FIM is not just Single Sign On, although SSO is part of

FIM. Why?

32PalGov © 2011

A better FIM Definition

• A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources

• A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation

• Can we use it for e-gov in Palestine !!

33PalGov © 2011

User-to-Application

34PalGov © 2011

System-to-System

35PalGov © 2011

Credentials

• Authentic credentials are ones that

have not been tampered with and

are received exactly as issued by

the issuing authority

• Valid credentials are ones that are

trusted for use by the target

resource site

36PalGov © 2011


• Introduction


Cookies.



• FIM Examples.

37PalGov © 2011

FIM Examples

• Old Systems– Microsoft’s Passport

– UK Athens

• Current FIM Systems– Shibboleth

– Oauth

– Liberty Alliance

– Cardspace

– Higgins

– OpenID

38PalGov © 2011

Exampe1: Microsoft’s .NET Passport

• .NET Passport is an authentication system that allows users to access multiple sites using the same credentials

• Each site remains in charge of its own authorisation, and may use Passport information to help in this

• How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly.

39PalGov © 2011

The Registration Process

Passport site stores user

credential and profile

information, and allocates

the user a unique 64 bit

Passport User ID (PUID)

40PalGov © 2011

Credentials referenced by Passports UID

• The following are mandatory: e-mail address (unique identifier) and password

• The following are optional: secret questions and answers, mobile phone number and PIN, security key

• The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in– Birth Date, Country / Region, First Name, Gender, Last Name,

Occupation, Postal Code, Preferred Language, State, Time Zone

42PalGov © 2011

Intra-Site Authentication Process

• When a user moves to another Participating

Site (step 1), the site redirect the user to the

Passport site (step 2)

• The user’s client sends the Authentication

cookie and Profile cookie to Passport during

redirection. Passport then knows the user

has already successfully authenticated

(modified step 2)

43PalGov © 2011

Intra-Site Authentication Process

• The Participating Sites cookie on the user’s

machine is updated by Passport and the user

is redirected back to the Participating Site

(step 5)

• The Participating Site receives the encrypted

tokens from Passport and knows the user has

been authenticated (step 6)

• When the user logs out of Passport, all

cookies are deleted and the Participating Sites

cookie is used to clean up all Participating

sites computers

44PalGov © 2011

Disadvantages of MS Passport ?

• Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users.

• Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies.

• Also the protocol used by Passport was developed by Microsoft therefore was not an international standard.

• Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID

45PalGov © 2011

Example 2: Shibboleth

• Internet2 consortium project

• Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site

• provides users access to remote resources

46PalGov © 2011

Shibboleth Access Stages

• Obtaining an authentication assertion for a user from his home site (IdP)

• Using this to get a set of attribute assertions for the user

• The two messages can be combined into one exchange to make the protocol more efficient

47PalGov © 2011

User Authentication using Shibboleth [2]

User

Authentication

Service

SHIB SP

WAYF

Attribute

Authority

Web Service

5.

Signed

Authn

Assertion

Identity Provider

6.

49PalGov © 2011

Authorization using Shibboleth [2]

User

Authn

Service

SHIB SP

AA

Server

Web Service

SHIB IdP

Authz

service

9. Attributes10.

50PalGov © 2011

Shibboleth disadvantages

• Single attribute authority to the service provider

• Subject to phishing attacks.

• No single sign off

• Credentials can be stolen from a browser and used by an imposter.

• Shibboleth cannot be used for services that need to know who the user is for service personalisation.

51PalGov © 2011

Bibliography

1. John Wandelt, Georgia Tech

Research Institute (GTRI), August

2007, www.it.ojp.gov/GFIPM

2. Lecture Notes by David Chadwick

2011, True-Trust Ltd.

3. http://shibboleth.internet2.edu/

http://www.it.ojp.gov/GFIPM

52PalGov © 2011

Summary

• In this session we discussed the

following:

– Federated Identity Management with

different examples.

e gov security_tut_session_9

Technology