Weitere ähnliche Inhalte
Ähnlich wie E gov security_tut_session_9
Ähnlich wie E gov security_tut_session_9 (20)
Mehr von Mustafa Jarrar (20)
Kürzlich hochgeladen (20)
E gov security_tut_session_9
- 2. About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
Project Consortium:
Birzeit University, Palestine
University of Trento, Italy
(Coordinator )
Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium
Palestine Technical University, Palestine
Université de Savoie, France
Ministry of Telecom and IT, Palestine
University of Namur, Belgium
Ministry of Interior, Palestine
TrueTrust, UK
Ministry of Local Government, Palestine
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011
2
- 3. © Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
PalGov © 2011 3
- 4. Tutorial 5:
Information Security
Session 9: Federated Identity Management
(FIM)
Session 9 Outline:
• Session 9 ILO’s.
• Federated Identity Management.
PalGov © 2011 4
- 5. Tutorial 5: Session 9: (FIM) - ILOs
This session will contribute to the following
ILOs:
• A: Knowledge and Understanding
• Understanding of the concepts underlying Secure Information
Systems.
• Have an understanding of the various techniques used in
identity management;
• Understand the motivation, design, operation and management
of modern systems for encryption, authentication, authorization
and identification.
• B: Intellectual Skills
• Design end-to-end secure and available systems.
• The ability to analyze the information security requirements of
an organization.
• D: Intellectual Skills
• Analysis and identification skills.
PalGov © 2011 5
- 6. Tutorial 5:
Information Security
Session 9: Federated Identity Management
(FIM)
Session 9 Outline:
• Session 9 ILO’s.
• Federated Identity Management.
PalGov © 2011 6
- 7. Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies, MS Passports and
Captchas.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
PalGov © 2011 7
- 8. Introduction (1)
• Many recognized sensitive but
unclassified (SBU) networks and
information systems like different
ministries and entities in Palestine.
• Each invested in technology, governance
structures, policies and trust relationships
but are not interoperable with each other.
PalGov © 2011 8
- 9. Introduction (2)
• Need to ensure that the right individuals
have access to the authorized resources
they need regardless of where they
reside in the enterprise
• Example: the driving license renewal
example given in tutorial 1.
PalGov © 2011 9
- 10. Introduction (3)
• Security and privacy of information are
major impediments to information
exchange and system interoperability
• Users must subscribe to multiple sites
and manage multiple security
credentials in order to get access to
the resources they need at different
ministries
• Expensive, frustrating for users,
and not scalable
PalGov © 2011 10
- 11. Federated Identity Management.
• Introduction
• Overview of HTTP
authentications and Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
PalGov © 2011 11
- 12. But first some background info HTTP
Cookies
• Cookies – allow a web server/site to store state information for
itself (often encrypted) on the user’s browser
• A site can store many cookies, and the client should return
them all when it returns to the site
• Often used to enable SSO, since the site can tell if a user is
already authenticated or not
PalGov © 2011 12
- 13. HTTP Redirect and Form-POST
• Http Redirect – allows one server to pass information
to another server via the browser, as info in a URL
• Http Form-POST – one server builds a form with an
action to POST it to another server, delivers the form
to the browser in the message body, which then
submits it to the other server
PalGov © 2011 13
- 14. Privacy Protection -
• User can choose to share e-mail address, name and other
profile information with all participating sites (but must be
same for all sites)
PalGov © 2011 14
- 15. CAPTCHAs
• Completely Automated Public Turing test to tell Computers and
Humans Apart
• Designed to stop automated user registration programs and
possible DOS attack by flooding registration process
• User is asked to type in some characters, that most programs
are incapable of reading
PalGov © 2011 15
- 16. Federated Identity Management.
• Introduction
• Overview of HTTP authentications
and Cookies,
• Trust Domains and Access
Cases.
• FIM Definitions and Concept
• FIM examples
PalGov © 2011 16
- 17. Trust Domains Definition
Trust domains describe the boundaries of a security
infrastructure operating under a consistent set of
policies, governance, and technology mechanisms.
Trust Domain 2
Trust Domain 1
?
PalGov © 2011 17
- 18. Problems with Trust Domains
Problem:
•Authentication and Authorization are
typically recognized only within a
given trust domain, unless.....
What is required to achieve
interoperability across different Trust
Domains?
PalGov © 2011 18
- 19. Different Access Cases
•Case 1 : One user Access one
application or service.
•Case 2: One user accessing many
applications
•Case 3 :Many users accessing many
applications
PalGov © 2011 19
- 20. Case 1:
One user accessing one application
Steps in provisioning access:
• Vetting (who are you?)
• Permissions (what can you
access?)
• Credentials (how do I know it’s
you? – passwords, smart cards,
etc.)
Access requires authentication of
Application and credentials
Services
PalGov © 2011 20
- 21. Case 2:
One user accessing many applications
Steps in provisioning access: ×N
• Vetting
• Permissions
• Credentials
RESULT:
• Each application must perform all steps above
• User must keep track of N sets of credentials
PalGov © 2011 21
- 22. Case 3:
Many users accessing many applications
Steps in provisioning access: Too many
×M×N
• Vetting operations!!
• Permissions
• Credentials
RESULTS:
• Multifactor credentials & vetting become too expensive
• Vetting & credentials not done well.
• Vetting too far from user to be kept up to date effectively
• High barrier to access
PalGov © 2011 22
- 23. If not checked correctly !!!
1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM
PalGov © 2011 23
- 24. Proposed Solution (1)
Provisioning identity and
user attributes (vetting
and credentialing) with
the organization (×M
users)
Applications make
access and
authorization decisions
based on trusted
federation credentials
and user attributes
PalGov © 2011 24
- 25. Proposed Solution (2)
• Huge savings in vetting and credentialing
M<<M×N
• Vetting is better – closer to the user since own
organization does vetting
• Credentialing is better – can afford multifactor
• Each users only needs one credential (Single
sign-on)
• Lower barriers to access – more access.
PalGov © 2011 25
- 26. Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM examples
PalGov © 2011 26
- 27. Some Definitions
• Identity:
– A whole set of attributes that in combination uniquely characterise
a person
– hair colour, sound of their voice, height, name,
qualifications, past actions, reputation etc.
• Attribute:
– a property, quality or characteristic of an entity
• Identifier:
– a string used to uniquely identify an entity in a domain. Often
used as login id or primary key in a database. A special type of
attribute since it is usually the only one on its own that can
uniquely identify an entity in a domain.
– X.500/LDAP DNs, IP addresses, DNS names, URIs, key
IDs, login IDs, 128 bit random numbers are all
identifiers. PalGov © 2011 27
- 28. Some Definitions (2)
• Attribute assertion:
– Statement made by an authority that an entity has a
particular attribute. An authority can be the entity itself
or a (trusted) third party.
• Attribute certificate/authorisation credential:
– Cryptographically protected (usually digitally signed)
attribute assertion that can be validated
• Attribute authority (AA):
– An authoritative source for asserting attributes about
entities
• Service provider:
– An entity that provides a service to clients
• Identity provider:
– An entity that provides an authentication service, and is
often also an AA for a set of identity attributes of its users
PalGov © 2011 28
- 29. FIM Definition
From the RSA Web Site
• “A federated identity is a single user identity that
can be used to access a group of web sites bound
by the ties of federation. Without federated identity,
users are forced to manage different credentials for
every site they use. This collection of IDs and
passwords becomes difficult to manage and
control over time, offering inroads for identity theft.”
• “Federated identity management builds on a trust
relationship established between an organization
and a person. A federated identity makes it
possible for the end user to use one trust
relationship to access information with another,
related company without establishing new
credentials.”
PalGov © 2011 29
- 30. FIM Definition (cont)
• From Microsoft’s web site
• “Federated systems need to interoperate across
organizational boundaries and connect processes utilizing
different technologies, identity storage, security
approaches and programming models. Within a federated
system, identities and their associated credentials are still
stored, owned and managed separately. Each individual
member of the federation continues to manage its own
identities, but is capable of securely sharing and accepting
identities and credentials from other members' sources.”
• From IBM Tivoli’s web site
• “Federated identity management can be defined as an
industry framework built on top of industry standards that
let subscribers from disparate organizations use their
internal identification data to obtain access to the networks
of all enterprises in the group”.
• SO WHAT IS FIM? PalGov © 2011 30
- 31. FIM Process
• Identifiers are assigned within a domain to
uniquely identify an entity. They usually have no
meaning outside of the domain of issuance
• FIM requires identity information to be passed
between domains, therefore
– We need to pass (signed) attribute assertions between
domains in order to identify and authorise users
between domains.
– FIM is not just Single Sign On, although SSO is part of
FIM. Why?
PalGov © 2011 31
- 32. A better FIM Definition
• A group of organisations (ministries,
associations, municipalities etc...) that set up
trust relationships which allow them to send
attribute assertions about users identities
between themselves, in order to grant users
access to their resources
• A user can use his credentials (with AAA
concept) from one or more identity providers
to gain access to other sites (service
providers) within the federation
• Can we use it for e-gov in Palestine !!
PalGov © 2011 32
- 35. Credentials
• Authentic credentials are ones that
have not been tampered with and
are received exactly as issued by
the issuing authority
• Valid credentials are ones that are
trusted for use by the target
resource site
PalGov © 2011 35
- 36. Federated Identity Management.
• Introduction
• Overview of HTTP authentications,
Cookies.
• Trust Domains and Access Cases.
• FIM Definitions and Concept
• FIM Examples.
PalGov © 2011 36
- 37. FIM Examples
• Old Systems
– Microsoft’s Passport
– UK Athens
• Current FIM Systems
– Shibboleth
– Oauth
– Liberty Alliance
– Cardspace
– Higgins
– OpenID
PalGov © 2011 37
- 38. Exampe1: Microsoft’s .NET Passport
• .NET Passport is an authentication system that
allows users to access multiple sites using the
same credentials
• Each site remains in charge of its own
authorisation, and may use Passport information to
help in this
• How does it work? Users register at a site, but their
credentials and profile information are stored
centrally by Microsoft at the Passport server. This
means that sites must trust Microsoft to hold user
credentials and authenticate users correctly.
PalGov © 2011 38
- 39. The Registration Process
Passport site stores user
credential and profile
information, and allocates
the user a unique 64 bit
Passport User ID (PUID)
PalGov © 2011 39
- 40. Credentials referenced by Passports UID
• The following are mandatory: e-mail address (unique
identifier) and password
• The following are optional: secret questions and answers,
mobile phone number and PIN, security key
• The following attributes are stored by Passport if the
participating sites require it, and are shared between sites if
the user opts-in
– Birth Date, Country / Region, First Name, Gender, Last Name,
Occupation, Postal Code, Preferred Language, State, Time Zone
PalGov © 2011 40
- 42. Intra-Site Authentication Process
• When a user moves to another Participating
Site (step 1), the site redirect the user to the
Passport site (step 2)
• The user’s client sends the Authentication
cookie and Profile cookie to Passport during
redirection. Passport then knows the user
has already successfully authenticated
(modified step 2)
PalGov © 2011 42
- 43. Intra-Site Authentication Process
• The Participating Sites cookie on the user’s
machine is updated by Passport and the user
is redirected back to the Participating Site
(step 5)
• The Participating Site receives the encrypted
tokens from Passport and knows the user has
been authenticated (step 6)
• When the user logs out of Passport, all
cookies are deleted and the Participating Sites
cookie is used to clean up all Participating
sites computers PalGov © 2011 43
- 44. Disadvantages of MS Passport ?
• Because all user transactions have to involve
Microsoft, as it is responsible for authenticating all
users.
• Why should Microsoft be involved in a federation
between a car hire company and a hotel? It might
be OK for Microsoft related site federations such
as Hotmail and MSN, but not for all federations
between all commercial companies.
• Also the protocol used by Passport was developed
by Microsoft therefore was not an international
standard.
• Passport has now been superseded by Windows
Live ID, which is an identity meta-system that
provides support for Passport, CardSpace and
OpenID PalGov © 2011 44
- 45. Example 2: Shibboleth
• Internet2 consortium project
• Uses an OASIS standard protocol (SAML)
for authentication at home site and
authorisation via a set of user attributes
provided by home site
• provides users access to remote
resources
PalGov © 2011 45
- 46. Shibboleth Access Stages
• Obtaining an authentication assertion for a
user from his home site (IdP)
• Using this to get a set of attribute
assertions for the user
• The two messages can be combined into
one exchange to make the protocol more
efficient
PalGov © 2011 46
- 47. User Authentication using Shibboleth [2]
Identity Provider
Authentication WAYF Web Service
Service
5.
SHIB SP
Signed
Authn User
Assertion
6.
Attribute
Authority
PalGov © 2011 47
- 50. Shibboleth disadvantages
• Single attribute authority to the service
provider
• Subject to phishing attacks.
• No single sign off
• Credentials can be stolen from a browser
and used by an imposter.
• Shibboleth cannot be used for services
that need to know who the user is for
service personalisation.
PalGov © 2011 50
- 51. Bibliography
1. John Wandelt, Georgia Tech
Research Institute (GTRI), August
2007, www.it.ojp.gov/GFIPM
2. Lecture Notes by David Chadwick
2011, True-Trust Ltd.
3. http://shibboleth.internet2.edu/
PalGov © 2011 51
- 52. Summary
• In this session we discussed the
following:
– Federated Identity Management with
different examples.
PalGov © 2011 52
- 53. Thanks
Dr. Radwan Tahboub
PalGov © 2011 53