ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authentication technologies

1,028 views
908 views

Published on

When we think about authentication and more specifically about strong authentication mechanisms based on cryptographic primitives, we first think about techniques generating non-repudiable identity proofs. It seems like the more “secure” an authentication scheme is, the less control the Subject have over its privacy using it. Facing the Security vs Privacy debate, we might be tempted to intuitively (but wrongly) assume that those concepts are diametrically opposed.
In this talk, the presenter will introduce some concepts and associated techniques which
could be leveraged to provide secure authentication without sacrificing privacy. This talk
will first highlight the privacy side effects associated with the classical authentication
schemes based on X.509 certificates before having a closer look at selective disclosure,
ZKIP, Digital Credential and their implementations in the real world.

Application Security Forum 2011
27.10.2011 - Yverdon-les-Bains (Switzerland)
Speaker: Simon Blanchet

Published in: Technology, News & Politics
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,028
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
20
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Being quite involved in designing and implementing cryptographic software & software implementing security features. Applied cryptography (X.509, S/MIME, OpenSSL, Crypto API, Crypto++, …).Worked as an Application Security Architect for a Private Bank in Geneva integrating and implementing SSO and Strong Authentication solutions (smartcard programming at every level (CAPI, PKCS11, APDUS)) and PKI migration and integration.From implementing Security Product (Product Implementing Security Features) to Building Security In Software, hence building Secure Software. Because a Security Software is not necessarily a Secure Software…
  • Authentication: DefinitionsMight want to skip those one and pass quickly over them if this is something too obvious for the crowd…
  • Authentication: Real world examplesMight want to skip those one and pass quickly over them if this is something too obvious for the crowd…
  • Authentication: IT worldMight want to skip those one and pass quickly over them if this is something too obvious for the crowd…
  • Authentication: MechanismsMight want to skip those one and pass quickly over them if this is something too obvious for the crowd…
  • This part can be interactive…
  • This part can be interactive…
  • 1)Technical identity systems must only reveal information identifying a user with the user’s consent. 2) The identity metasystem must disclose the least identifying information possible, as this is the most stable, long-term solution.3) Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.4)A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. 5) A universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers. 6) The identity metasystem must define the human user to be a component of the distributed system, integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. 7) The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
  • Use analogy of Cave with 2 paths and door, repeat the experience… Confidence level will go up.
  • ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authentication technologies

    1. 1. Harmonizing Identity andPrivacy in Digital Identity andAuthentication technologiesSimon BlanchetInformation Security & Risk Team Leader - Application Security{Undisclosed} Private Bank
    2. 2. Who Am I? Simon Blanchet, CISSP 11+ years in Information System Security Security Security / Cryptographic Software Developer Information Security Professional (Application / Software Security) in Private Banking Hooked: Computers, BBSes, “hacking scene” Computer Science Passionate about Cryptology (Classical, Applied) & Software (In)Security27.10.2011 Application Security Forum - Western Switzerland - 2011 2
    3. 3. Who Am I? Crypto / Security Software Developer Secure Email Solution (X.509, OpenSSL, MS CAPI, …) Meta-IDS built on OpenBSD (aggregation, correlation) Digital Credential initial PoC / SDK Information Security Professional (Swiss Banking) Application Security Architect (PKI, AAA, libs (authn, crypto), …) Smartcard Programming & Integration (PKCS11, APDUS) Application Security Team Lead – Private Bank Software Security, ARA, Threat Modeling, Security Testing27.10.2011 Application Security Forum - Western Switzerland - 2011 3
    4. 4. Who Am I? Fun facts: Own (too) many books on Cryptology and Brewing Some of which are signed by the author with dedication Foodies, Beer aficionado Urban travelers, love languages27.10.2011 Application Security Forum - Western Switzerland - 2011 4
    5. 5. Agenda What this talk IS about / What this talk is NOT about Authentication & Privacy Identity Meta System (IdP, RP, Subject / Principal, …) PKI, X.509, Case Study: SSL mutual authentication Introducing the Laws of Identity Some issues with current authentication schemes Introducing Elementary Cryptographic Primitives Introducing Digital Credential27.10.2011 Application Security Forum - Western Switzerland - 2011 5
    6. 6. What this talk IS about Digital Identity Authentication Digital Privacy in the authentication world Identity Provider, Relying Parties, Subject Limitations of current implementations Elementary cryptographic primitives RSA, Digital Signature, Discrete Logarithms, ZKIP, Blind Signature, Selective Disclosure, …27.10.2011 Application Security Forum - Western Switzerland - 2011 6
    7. 7. What this talk is NOT about Anonymous browsing MIX networks / Onion Routing Hiding identity at the network level Political statement / Privacy evangelism 27.10.2011 Application Security Forum - Western Switzerland - 2011 7
    8. 8. Authentication & Privacy Definition, means, why, conflicting / diametrically opposed concepts? Security vs Privacy debate27.10.2011 Application Security Forum - Western Switzerland - 2011 8
    9. 9. Identification & Authentication Identification Act or process of identifying somebody or something or of being identified. So, it’s an act or process of showing who somebody is. Act of claiming an identity, where an identity is a set of one or more signs signifying a distinct entity. Authentication Act or process of proving something to be valid, genuine or true about someone’s identity. Act of verifying that identity, where a verification consists in establishing, to the satisfaction of the verifier, that the sign signifies the entity.27.10.2011 Application Security Forum - Western Switzerland - 2011 9
    10. 10. Identification vs Authentication Identification Ex: “Hi I’m Simon”, “Hi I’m the owner of this car” Authentication Ex: “Hi I’m Simon, here’s my passport” Something I own Passport Ex: “Hi I’m Simon, here’s my passport and let me sign this piece of paper” Something I own Passport Something I am My signature27.10.2011 Application Security Forum - Western Switzerland - 2011 10
    11. 11. Authentication (1/2) Authentication factors Knowledge Something you know Ex: Password, Pin code, Passphrase, answer to a special ? Ownership Something you own Ex: Security Token, Cell phone, Private Key associated to a cert Inherence Something you do or are Ex: Fingerprint, voice, retina (think biometrics) Multi-factor Authentication Any combination of more than one of the above…27.10.2011 Application Security Forum - Western Switzerland - 2011 11
    12. 12. Authentication (2/2) SSL Mutual Authentication Public Key Digital Signature (more on this later…) Hardware / Security Token Shared Secret Key Authentication OTP based on Shared Secret + Time OTP based on Shared Secret + Counter OTP based on Shared Secret + Challenge The minimum requirement of any token is at least an inherent unique identity… OpenID / SAML / …27.10.2011 Application Security Forum - Western Switzerland - 2011 12
    13. 13. Privacy Ability of a person to control the availability of information about and exposure of himself or herself. It is related to being able to function in society anonymously (including pseudonymous or blind credential identification)27.10.2011 Application Security Forum - Western Switzerland - 2011 13
    14. 14. Anonymity / Pseudonymity Anonymity No information linking an identifier to its entity Identity that is not bound or linked to an entity Obscuring the identity of an entity Pseudonymity Pseudonym is a fictitious identifier which is not immediately associated to an entity Ex: Pen names, Nicknames, … Linking & Tracking possible, pseudo revealed: Game Over27.10.2011 Application Security Forum - Western Switzerland - 2011 14
    15. 15. Security vs Privacy Is this a real dilemma? Conflicting / diametrically opposed concepts? We hear a lot about trading your Privacy to increase your Security in airport security Full-Body Scanners anyone?27.10.2011 Application Security Forum - Western Switzerland - 2011 15
    16. 16. Security vs Privacy Post 9/11 How much privacy are you willing to give up for security? Security or Privacy? Fundamental dichotomy? NOT really… Security affects Privacy when its based on identity Real question: Liberty versus Control Quoting Benjamin Franklin: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."27.10.2011 Application Security Forum - Western Switzerland - 2011 16
    17. 17. Identity Meta System IdP - Identity Provider Issues digital identity Ex: CA for X.509 Digital Certificate RP - Relying Parties Requires identity / Trust IdP Ex: Mutual SSL authn protected web server S / P – Subject / Principal Entities about whom claims are made Ex: Individual owning a cert & its associated private key27.10.2011 Application Security Forum - Western Switzerland - 2011 17
    18. 18. PKI IdP is the Certification Authority (CA) Authenticate Validate CSR Issue Cert Cryptographic IdP binding Identity + Public Key Subjec Access Request RP t Certificate + Proof ofKeep Private Key possession private keySign(Attrib + Pub Key) CSR27.10.2011 Application Security Forum - Western Switzerland - 2011 18
    19. 19. Case Study SSL Mutual Authentication27.10.2011 Application Security Forum - Western Switzerland - 2011 19
    20. 20. SSL Mutual Authentication Common Trusted IdP (CA) between RP & S CA issues a digital certificate to Subject Client-side key pair generation PKCS10 Certificate Signing Request sent to CA CA authenticate Subject & verify proof of possession of associated Private Key CA issues X.509 certificate to Subject27.10.2011 Application Security Forum - Western Switzerland - 2011 20
    21. 21. SSL Mutual Authentication RP is a Web Server configured to require a client certificate SSL “Server Hello” – “Client Certificate Request” $ openssl s_server -www -key myca_privkey.pem -cert myca.pem -state -msg -debug -Verify myca.pem27.10.2011 Application Security Forum - Western Switzerland - 2011 21
    22. 22. SSL Mutual Authentication Copyright IBM Corporation 1999, 2011. All Rights Reserved. This topics URL: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.csqzas.doc/sy10660_.htm27.10.2011 sy10660_ Application Security Forum - Western Switzerland - 2011 22
    23. 23. SSL Mutual Authentication So the client is only sending his certificate back to the server or is he? What else would be needed and why? Proof of possession of associated private key A certificate is public by definition … How to prove to a RP that we own such key? Someone said “Digital Signature”? What is really signed here? Why?27.10.2011 Application Security Forum - Western Switzerland - 2011 23
    24. 24. SSL Mutual Authentication What can be signed? Who’s providing the material to sign? The server only? The client only? Both? Why? What can go wrong if not both? What’s the outcome of all of this? Server obtain a proof that the Client owns the private key associated with the cert shown27.10.2011 Application Security Forum - Western Switzerland - 2011 24
    25. 25. Laws of Identity ii.a27.10.2011 Application Security Forum - Western Switzerland - 2011 25
    26. 26. Laws of Identity ii.a1. User Control and Consent2. Minimal Disclosure for a Constrained Use3. Justifiable Parties4. Directed Identity5. Pluralism of Operators and Technologies6. Human Integration7. Consistent Experience Across Contexts27.10.2011 Application Security Forum - Western Switzerland - 2011 26
    27. 27. Some issues with current schemes27.10.2011 Application Security Forum - Western Switzerland - 2011 27
    28. 28. Privacy Issues with current schemes IdP sees the certificates it issues RP can always track the entity authenticating RP can store all the certificates presented Different RPs can exchange & link those certificates ALL the attributes contained in the certificate are disclosed to the RP CRLs are distributed to all RP27.10.2011 Application Security Forum - Western Switzerland - 2011 28
    29. 29. X.509 SSL Mutal Authn (1/2)1. User Control and Consent ✗ / ? By Default: NO under most common OSes MS CAPI Private Key Security Level2. Minimal Disclosure for a Constrained Use ✗ ALL attributes embedded in the cert are disclosed27.10.2011 Application Security Forum - Western Switzerland - 2011 29
    30. 30. Issues with X.509 authn (2/2) Cert contains direct unique identifiers such as: Subject Key Identifier ( 2.5.29.14 ) IssuerDN + Serial Number Common Name* Cert contains indirect unique identifiers: Public Key CA’s Signature Computed Thumbprint27.10.2011 Application Security Forum - Western Switzerland - 2011 30
    31. 31. Cryptographic Primitives27.10.2011 Application Security Forum - Western Switzerland - 2011 31
    32. 32. Cryptographic Primitives RSA Discrete Logarithm Problem (DLP) Zero-Knowledge Proof (ZKP) Prover Subject Verifier RP Blind Signature Selective Disclosure27.10.2011 Application Security Forum - Western Switzerland - 2011 32
    33. 33. RSA P & Q: Large random prime numbers n = P * Q Modulus common to privkey & pubkey Compute φ(n) = (p – 1)(q – 1) Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1 public key d = e–1 mod φ(n) private key Encryption-Decryption / Signature-Validation ENC/DEC: c = me (mod n), m = cd (mod n) SIG/VAL: s = hd (mod n), h = se (mod n) h’=h?27.10.2011 Application Security Forum - Western Switzerland - 2011 33
    34. 34. Discrete Logarithm Problem g and h are elements of a finite cyclic group G then a solution x of the equation gx = h is called a discrete logarithm to the base g of h in the group G. Given g ≠1 and a random h := gx, it is not possible to find x from computational complexity standpoint.27.10.2011 Application Security Forum - Western Switzerland - 2011 34
    35. 35. Zero Knowledge ProofFor Children… (from Jean-Jacques Quisquater’s paper*)Repeat until confidence level is reached…• http://en.wikipedia.org/wiki/Zero-knowledge_proof 27.10.2011 Application Security Forum - Western Switzerland - 2011 35
    36. 36. Introducing digital credential• Issuing protocol Blind Signature – Subject can (blind) “randomize” its public key – IdP can still sign without “knowing” the public key – The resulting IdP signature is also “blinded” from the IdP perspective• Showing protocol Selective Disclosure – Subject can blind, hence selectively disclose only the attributes he wishes to do to the RP (Verifier)27.10.2011 Application Security Forum - Western Switzerland - 2011 36
    37. 37. Conclusion Pseudonymity != Anonymity Security XOR Privacy? NOT Really Liberty VS Control THE real question Most current authentication schemes were not built with “privacy” in mind and currently don’t comply with the “7 Laws of Identity” Some cryptographic constructs exists to implement privacy and empower the Subject Implementations of those constructs already exist 27.10.2011 Application Security Forum - Western Switzerland - 2011 37
    38. 38. © flickr.com/horiavarlan horiavarlan Questions Questions ?27.10.2011 Application Security Forum - Western Switzerland - 2011 38
    39. 39. Thank You! / Merci! Simon Blanchet simon.blanchet@gmail.com http://ch.linkedin.com/in/sblanchet SLIDES A TELECHARGER PROCHAINEMENT: http://slideshare.net/ASF-WS27.10.2011 Application Security Forum - Western Switzerland - 2011 39
    40. 40. References (1/2)i. Microsoft’s Vision for an Identity Metasystem a. http://www.identityblog.com/stories/2005/10/06/IdentityMetasystem.pdfii. The Laws of Identity, Kim Cameron a. http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdfiii. Rethinking Public Key Infrastructures and Digital Certificates, Stefan Brands a. http://mitpress.mit.edu/catalog/item/default.asp?sid=DB63048D-0822-4233-8765- 55C534600287&ttype=2&tid=3801 b. http://www.credentica.com/the_mit_pressbook.htmliv. Work of David Chaum & Stefan Brands, School of Computer Science and Statistics at Trinity College Dublin (Michael Peirce’s homepage) a. http://ntrg.cs.tcd.ie/mepeirce/Project/chaum.html b. http://ntrg.cs.tcd.ie/mepeirce/Project/Mlists/brands.htmlv. The Id Element a. http://channel9.msdn.com/Shows/Identity b. http://channel9.msdn.com/shows/Identity/Deep-Dive-into-U-Prove-Cryptographic-protocols27.10.2011 Application Security Forum - Western Switzerland - 2011 40
    41. 41. References (2/2)v. 7 Laws of Identity, Ann Cavoukian a. http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdfvi. The problem(s) with OpenID, The Identity Corner a. http://www.untrusted.ca/cache/openid.htmlvii. An Overview of an SSL Handshake & How SSL provides authentication, confidentiality, and integrity a. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/advanced/print.jsp?topic=/com.ibm.mq. csqzas.doc/sy10670_.htm&isSelectedTopicPrint=true b. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas .doc%2Fsy10660_.htmviii. Links Blog (Identity), Ben Laurie a. http://www.links.org/?cat=8ix. U-Prove Crypto SDK V1.1 (Java Edition) - Apache 2.0 open-source license a. http://archive.msdn.microsoft.com/uprovesdkjavax. Random Thoughts on Digital Identity, Digital Identity Glossary a. http://blog.onghome.com/glossary.htm27.10.2011 Application Security Forum - Western Switzerland - 2011 41

    ×