• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 

TrustBearer - CTST 2009 - OpenID & Strong Authentication

on

  • 4,710 views

This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to ...

This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity

Statistics

Views

Total Views
4,710
Views on SlideShare
2,241
Embed Views
2,469

Actions

Likes
3
Downloads
0
Comments
1

8 Embeds 2,469

http://openidtrustbearer.wordpress.com 2169
http://blog.trustbearer.com 163
http://www.linkedin.com 118
https://openidtrustbearer.wordpress.com 11
url_unknown 3
https://blog.trustbearer.com 2
http://www.slideshare.net 2
http://translate.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    TrustBearer - CTST 2009 - OpenID & Strong Authentication TrustBearer - CTST 2009 - OpenID & Strong Authentication Presentation Transcript

    • OpenID & Strong Authentication CTST 2009: Emerging Technology D14: Smart Cards,Tokens & Digital Identity May 5, 2009 Brian Kelly Vice President TrustBearer Labs
    • Simplify Multi-factor authentication can be made easier to use and implement by utilizing Web Single Sign On (SSO) standards SAML 2
    • SAML • Consumer focused • Enterprise focused • On-the-fly- • Bulk-provisioning (on- provisioning the-fly supported) • Many identity • Identity Provider is providers available internal to online for consumers organization to choose (typically) • Mostly open-source, • Commercial and OS and COTS services products available 3
    • How does SAML work? verifies signed assertions User is logged-in to creates signed App 1 web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 4
    • How does OpenID work? Consumer Web App Web app User is logged-in Page Login verifies previously to web app user enrolled OpenID Consumer user Web App OpenID user Relying Party (consumer) User authenticates to IDP and enables account to be used with consumer site 5
    • End-point authentication is agnostic of SSO standard All methods can be supported by SAML or OpenID • username / password • one time password (OTP) tokens • smart cards (e.g. PIV, CAC, FRAC) • TPM • client digital certificates • information cards • biometrics • image verification 6
    • Identity Provider offers end- point authentication options • Google,Yahoo, AOL: password • myOpenID: password, phone verify, client certificate, info card • VeriSign PIP: OTP, client certificate, info card, EV SSL • TrustBearer: smart cards (CAC, PIV, etc.), biometrics • Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 7
    • What authentication method to choose? 8
    • Required Protections for OMB’s E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against ✓ ✓ ✓ ✓ On-line guessing Replay ✓ ✓ ✓ ✓ Eavesdropper ✓ ✓ ✓ Verifier impersonation ✓ ✓ ✓ Man-in-the-middle ✓ ✓ Session hijacking ✓ From NIST SP 800-63 p. 39 9
    • Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type Hard Crypto Token ✓ ✓ ✓ ✓ ✓ ✓ ✓ One-time password device Soft crypto token ✓ ✓ ✓ Passwords & PINs ✓ ✓ From NIST SP 800-63 p. 39 10
    • OpenID Provider Authentication Policy Extension (PAPE) • Provides a way for Relying Parties to request / view authentication policies of Identity Provider • Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor • Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 11
    • TrustBearer OpenID What we do What we could do • Challenge/response with • Path validation & PIN or Bio verification revocation checking • Allow multiple tokens • Use SReg to transmit per account data on card • Implement PAPE • Allow RPs to request certain smart cards or • No username / password tokens be used option • More SAML Support • Some SAML support 12
    • How Government OpenID with smart card auth could work Citizen Web App OpenID + Sreg + PAPE Citizen is logged-in Page Login Data sent to Gov’t Web app, to web app user Info is verified U.S. Gov’t Gov’t Web user App OpenID user Relying Party Web app (RP) includes (consumer) U.S. Gov’t OpenID Provider on it’s trusted list Path Validation & User is directed to government Certificate Revocation OpenID provider, which uses CAC / PIV Checking Smart card to authenticate user 13
    • “In-the-cloud” strong-auth benefits over traditional Client Auth with SSL • Less infrastructure / less coding • Path validation & revocation checking work is offloaded to Identity Provider • Authentication methods can scale up and down depending on application needs • Non-cert data on smart card becomes useful (e.g. healthcare) 14
    • Questions? https://openid.trustbearer.com Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs