TrustBearer - CTST 2009 - OpenID & Strong Authentication
â˘
3 gefällt mirâ˘3,054 views
This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (13)
Ăhnlich wie TrustBearer - CTST 2009 - OpenID & Strong Authentication
Ăhnlich wie TrustBearer - CTST 2009 - OpenID & Strong Authentication (20)
KĂźrzlich hochgeladen
KĂźrzlich hochgeladen (20)
TrustBearer - CTST 2009 - OpenID & Strong Authentication
- 1. OpenID & Strong Authentication CTST 2009: Emerging Technology D14: Smart Cards,Tokens & Digital Identity May 5, 2009 Brian Kelly Vice President TrustBearer Labs
- 2. Simplify Multi-factor authentication can be made easier to use and implement by utilizing Web Single Sign On (SSO) standards SAML 2
- 3. SAML ⢠Consumer focused ⢠Enterprise focused ⢠On-the-ďŹy- ⢠Bulk-provisioning (on- provisioning the-ďŹy supported) ⢠Many identity ⢠Identity Provider is providers available internal to online for consumers organization to choose (typically) ⢠Mostly open-source, ⢠Commercial and OS and COTS services products available 3
- 4. How does SAML work? veriďŹes signed assertions User is logged-in to creates signed App 1 web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 4
- 5. How does OpenID work? Consumer Web App Web app User is logged-in Page Login veriďŹes previously to web app user enrolled OpenID Consumer user Web App OpenID user Relying Party (consumer) User authenticates to IDP and enables account to be used with consumer site 5
- 6. End-point authentication is agnostic of SSO standard All methods can be supported by SAML or OpenID ⢠username / password ⢠one time password (OTP) tokens ⢠smart cards (e.g. PIV, CAC, FRAC) ⢠TPM ⢠client digital certiďŹcates ⢠information cards ⢠biometrics ⢠image veriďŹcation 6
- 7. Identity Provider offers end- point authentication options ⢠Google,Yahoo, AOL: password ⢠myOpenID: password, phone verify, client certiďŹcate, info card ⢠VeriSign PIP: OTP, client certiďŹcate, info card, EV SSL ⢠TrustBearer: smart cards (CAC, PIV, etc.), biometrics ⢠Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 7
- 8. What authentication method to choose? 8
- 9. Required Protections for OMBâs E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against â â â â On-line guessing Replay â â â â Eavesdropper â â â VeriďŹer impersonation â â â Man-in-the-middle â â Session hijacking â From NIST SP 800-63 p. 39 9
- 10. Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type Hard Crypto Token â â â â â â â One-time password device Soft crypto token â â â Passwords & PINs â â From NIST SP 800-63 p. 39 10
- 11. OpenID Provider Authentication Policy Extension (PAPE) ⢠Provides a way for Relying Parties to request / view authentication policies of Identity Provider ⢠Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor ⢠Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 11
- 12. TrustBearer OpenID What we do What we could do ⢠Challenge/response with ⢠Path validation & PIN or Bio veriďŹcation revocation checking ⢠Allow multiple tokens ⢠Use SReg to transmit per account data on card ⢠Implement PAPE ⢠Allow RPs to request certain smart cards or ⢠No username / password tokens be used option ⢠More SAML Support ⢠Some SAML support 12
- 13. How Government OpenID with smart card auth could work Citizen Web App OpenID + Sreg + PAPE Citizen is logged-in Page Login Data sent to Govât Web app, to web app user Info is veriďŹed U.S. Govât Govât Web user App OpenID user Relying Party Web app (RP) includes (consumer) U.S. Govât OpenID Provider on itâs trusted list Path Validation & User is directed to government CertiďŹcate Revocation OpenID provider, which uses CAC / PIV Checking Smart card to authenticate user 13
- 14. âIn-the-cloudâ strong-auth beneďŹts over traditional Client Auth with SSL ⢠Less infrastructure / less coding ⢠Path validation & revocation checking work is ofďŹoaded to Identity Provider ⢠Authentication methods can scale up and down depending on application needs ⢠Non-cert data on smart card becomes useful (e.g. healthcare) 14
- 15. Questions? https://openid.trustbearer.com Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs