OpenID & Strong
Authentication
CTST 2009: Emerging Technology
D14: Smart Cards,Tokens & Digital Identity
May 5, 2009
Brian Kelly
Vice President
TrustBearer Labs

Simplify
Multi-factor authentication can be made easier
to use and implement by utilizing Web
Single Sign On (SSO) standards
SAML
2

SAML
• Consumer focused
• Enterprise focused
• On-the-fly-
• Bulk-provisioning (on-
provisioning
the-fly supported)
• Many identity
• Identity Provider is
providers available
internal to
online for consumers
organization
to choose
(typically)
• Mostly open-source,
• Commercial and OS
and COTS services
products available
3

How does SAML work?
verifies signed
assertions
User is logged-in to
creates signed
App 1 web app
Login Web Page
assertions
user
SAML ID App 2
user
Provider
user authenticates users App 3
Other SAML Service Providers
LDAP (consumers)
Auth.
4

How does OpenID work?
Consumer Web App
Web app User is logged-in
Page Login
verifies previously to web app
user enrolled OpenID
Consumer
user Web App
OpenID
user Relying Party
(consumer)
User authenticates to IDP and
enables account to be used
with consumer site
5

End-point authentication is
agnostic of SSO standard
All methods can be supported by SAML or OpenID
• username / password
• one time password (OTP) tokens
• smart cards (e.g. PIV, CAC, FRAC)
• TPM
• client digital certificates
• information cards
• biometrics
• image verification
6

Identity Provider offers end-
point authentication options
• Google,Yahoo, AOL: password
• myOpenID: password, phone verify, client certificate, info card
• VeriSign PIP: OTP, client certificate, info card, EV SSL
• TrustBearer: smart cards (CAC, PIV, etc.), biometrics
• Vidoop: Image recognition (CAPTCHA)
The IdP can specify authentication methods used
to the RP, which can even request preferences.
7

What authentication
method to choose?
8

Required Protections for OMB’s
E-Auth Assurance Levels
Level 1 Level 2 Level 3 Level 4
Protect against
✓ ✓ ✓ ✓
On-line guessing
Replay ✓ ✓ ✓ ✓
Eavesdropper ✓ ✓ ✓
Verifier impersonation ✓ ✓ ✓
Man-in-the-middle ✓ ✓
Session hijacking ✓
From NIST SP 800-63 p. 39
9

Token Types Allowed At Each
Assurance Level
Level 1 Level 2 Level 3 Level 4
Token Type
Hard Crypto Token ✓ ✓ ✓ ✓
✓ ✓ ✓
One-time password device
Soft crypto token ✓ ✓ ✓
Passwords & PINs ✓ ✓
From NIST SP 800-63 p. 39
10

OpenID Provider Authentication
Policy Extension (PAPE)
• Provides a way for Relying Parties to
request / view authentication policies of
Identity Provider
• Policies: Phishing-resistant, Multi-Factor, and
Physical Multi-Factor
• Preferred authentication levels
e.g. NIST: 1, 2, 3, 4
SAML also allows authentication attributes
to be added to a message
11

TrustBearer OpenID
What we do What we could do
• Challenge/response with • Path validation &
PIN or Bio verification revocation checking
• Allow multiple tokens • Use SReg to transmit
per account data on card
• Implement PAPE • Allow RPs to request
certain smart cards or
• No username / password
tokens be used
option
• More SAML Support
• Some SAML support
12

How Government OpenID with
smart card auth could work
Citizen Web App
OpenID + Sreg + PAPE Citizen is logged-in
Page Login
Data sent to Gov’t Web app, to web app
user Info is verified
U.S. Gov’t Gov’t Web
user App
OpenID
user Relying Party
Web app (RP) includes
(consumer)
U.S. Gov’t OpenID
Provider on it’s trusted list
Path Validation &
User is directed to government
Certificate Revocation
OpenID provider, which uses CAC / PIV
Checking
Smart card to authenticate user
13

“In-the-cloud” strong-auth benefits
over traditional Client Auth with SSL
• Less infrastructure / less coding
• Path validation & revocation checking work
is offloaded to Identity Provider
• Authentication methods can scale up and
down depending on application needs
• Non-cert data on smart card becomes
useful (e.g. healthcare)
14

Questions?
https://openid.trustbearer.com
Brian Kelly
brian.kelly@trustbearer.com
twitter.com/TrustBearer
Vice President
TrustBearer Labs