Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

E gov security_tut_session_9


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

E gov security_tut_session_9

  1. 1. ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Sessions 9 PalGov © 2011 1
  2. 2. AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  3. 3. © Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov © 2011 3
  4. 4. Tutorial 5: Information SecuritySession 9: Federated Identity Management(FIM)Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 4
  5. 5. Tutorial 5: Session 9: (FIM) - ILOsThis session will contribute to the followingILOs:• A: Knowledge and Understanding • Understanding of the concepts underlying Secure Information Systems. • Have an understanding of the various techniques used in identity management; • Understand the motivation, design, operation and management of modern systems for encryption, authentication, authorization and identification.• B: Intellectual Skills • Design end-to-end secure and available systems. • The ability to analyze the information security requirements of an organization.• D: Intellectual Skills • Analysis and identification skills. PalGov © 2011 5
  6. 6. Tutorial 5: Information SecuritySession 9: Federated Identity Management(FIM)Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 6
  7. 7. Federated Identity Management.• Introduction• Overview of HTTP authentications, Cookies, MS Passports and Captchas.• Trust Domains and Access Cases.• FIM Definitions and Concept• FIM examples PalGov © 2011 7
  8. 8. Introduction (1)• Many recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine.• Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other. PalGov © 2011 8
  9. 9. Introduction (2)• Need to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise• Example: the driving license renewal example given in tutorial 1. PalGov © 2011 9
  10. 10. Introduction (3)• Security and privacy of information are major impediments to information exchange and system interoperability• Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries• Expensive, frustrating for users, and not scalable PalGov © 2011 10
  11. 11. Federated Identity Management.• Introduction• Overview of HTTP authentications and Cookies.• Trust Domains and Access Cases.• FIM Definitions and Concept• FIM examples PalGov © 2011 11
  12. 12. But first some background info HTTP Cookies• Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser• A site can store many cookies, and the client should return them all when it returns to the site• Often used to enable SSO, since the site can tell if a user is already authenticated or not PalGov © 2011 12
  13. 13. HTTP Redirect and Form-POST• Http Redirect – allows one server to pass information to another server via the browser, as info in a URL• Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server PalGov © 2011 13
  14. 14. Privacy Protection -• User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites) PalGov © 2011 14
  15. 15. CAPTCHAs• Completely Automated Public Turing test to tell Computers and Humans Apart• Designed to stop automated user registration programs and possible DOS attack by flooding registration process• User is asked to type in some characters, that most programs are incapable of reading PalGov © 2011 15
  16. 16. Federated Identity Management.• Introduction• Overview of HTTP authentications and Cookies,• Trust Domains and Access Cases.• FIM Definitions and Concept• FIM examples PalGov © 2011 16
  17. 17. Trust Domains DefinitionTrust domains describe the boundaries of a securityinfrastructure operating under a consistent set ofpolicies, governance, and technology mechanisms.Trust Domain 2 Trust Domain 1 ? PalGov © 2011 17
  18. 18. Problems with Trust DomainsProblem: •Authentication and Authorization are typically recognized only within a given trust domain, unless.....What is required to achieveinteroperability across different TrustDomains? PalGov © 2011 18
  19. 19. Different Access Cases•Case 1 : One user Access oneapplication or service.•Case 2: One user accessing manyapplications•Case 3 :Many users accessing manyapplications PalGov © 2011 19
  20. 20. Case 1: One user accessing one application Steps in provisioning access: • Vetting (who are you?) • Permissions (what can you access?) • Credentials (how do I know it’s you? – passwords, smart cards, etc.) Access requires authentication of Application and credentials Services PalGov © 2011 20
  21. 21. Case 2: One user accessing many applicationsSteps in provisioning access: ×N• Vetting• Permissions• CredentialsRESULT:• Each application must perform all steps above• User must keep track of N sets of credentials PalGov © 2011 21
  22. 22. Case 3: Many users accessing many applicationsSteps in provisioning access: Too many ×M×N• Vetting operations!!• Permissions• CredentialsRESULTS:• Multifactor credentials & vetting become too expensive• Vetting & credentials not done well.• Vetting too far from user to be kept up to date effectively• High barrier to access PalGov © 2011 22
  23. 23. If not checked correctly !!!1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, PalGov © 2011 23
  24. 24. Proposed Solution (1) Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users) Applications make access and authorization decisions based on trusted federation credentials and user attributes PalGov © 2011 24
  25. 25. Proposed Solution (2)• Huge savings in vetting and credentialing M<<M×N• Vetting is better – closer to the user since own organization does vetting• Credentialing is better – can afford multifactor• Each users only needs one credential (Single sign-on)• Lower barriers to access – more access. PalGov © 2011 25
  26. 26. Federated Identity Management.• Introduction• Overview of HTTP authentications, Cookies.• Trust Domains and Access Cases.• FIM Definitions and Concept• FIM examples PalGov © 2011 26
  27. 27. Some Definitions• Identity: – A whole set of attributes that in combination uniquely characterise a person – hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc.• Attribute: – a property, quality or characteristic of an entity• Identifier: – a string used to uniquely identify an entity in a domain. Often used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain. – X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers. PalGov © 2011 27
  28. 28. Some Definitions (2)• Attribute assertion: – Statement made by an authority that an entity has a particular attribute. An authority can be the entity itself or a (trusted) third party.• Attribute certificate/authorisation credential: – Cryptographically protected (usually digitally signed) attribute assertion that can be validated• Attribute authority (AA): – An authoritative source for asserting attributes about entities• Service provider: – An entity that provides a service to clients• Identity provider: – An entity that provides an authentication service, and is often also an AA for a set of identity attributes of its users PalGov © 2011 28
  29. 29. FIM DefinitionFrom the RSA Web Site• “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.”• “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.” PalGov © 2011 29
  30. 30. FIM Definition (cont)• From Microsoft’s web site• “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members sources.”• From IBM Tivoli’s web site• “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”.• SO WHAT IS FIM? PalGov © 2011 30
  31. 31. FIM Process• Identifiers are assigned within a domain to uniquely identify an entity. They usually have no meaning outside of the domain of issuance• FIM requires identity information to be passed between domains, therefore – We need to pass (signed) attribute assertions between domains in order to identify and authorise users between domains. – FIM is not just Single Sign On, although SSO is part of FIM. Why? PalGov © 2011 31
  32. 32. A better FIM Definition• A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources• A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation• Can we use it for e-gov in Palestine !! PalGov © 2011 32
  33. 33. User-to-Application PalGov © 2011 33
  34. 34. System-to-System PalGov © 2011 34
  35. 35. Credentials• Authentic credentials are ones that have not been tampered with and are received exactly as issued by the issuing authority• Valid credentials are ones that are trusted for use by the target resource site PalGov © 2011 35
  36. 36. Federated Identity Management.• Introduction• Overview of HTTP authentications, Cookies.• Trust Domains and Access Cases.• FIM Definitions and Concept• FIM Examples. PalGov © 2011 36
  37. 37. FIM Examples• Old Systems – Microsoft’s Passport – UK Athens• Current FIM Systems – Shibboleth – Oauth – Liberty Alliance – Cardspace – Higgins – OpenID PalGov © 2011 37
  38. 38. Exampe1: Microsoft’s .NET Passport• .NET Passport is an authentication system that allows users to access multiple sites using the same credentials• Each site remains in charge of its own authorisation, and may use Passport information to help in this• How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly. PalGov © 2011 38
  39. 39. The Registration Process Passport site stores user credential and profile information, and allocates the user a unique 64 bit Passport User ID (PUID) PalGov © 2011 39
  40. 40. Credentials referenced by Passports UID• The following are mandatory: e-mail address (unique identifier) and password• The following are optional: secret questions and answers, mobile phone number and PIN, security key• The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in – Birth Date, Country / Region, First Name, Gender, Last Name, Occupation, Postal Code, Preferred Language, State, Time Zone PalGov © 2011 40
  41. 41. .NET Passport Authentication PalGov © 2011 41
  42. 42. Intra-Site Authentication Process• When a user moves to another Participating Site (step 1), the site redirect the user to the Passport site (step 2)• The user’s client sends the Authentication cookie and Profile cookie to Passport during redirection. Passport then knows the user has already successfully authenticated (modified step 2) PalGov © 2011 42
  43. 43. Intra-Site Authentication Process• The Participating Sites cookie on the user’s machine is updated by Passport and the user is redirected back to the Participating Site (step 5)• The Participating Site receives the encrypted tokens from Passport and knows the user has been authenticated (step 6)• When the user logs out of Passport, all cookies are deleted and the Participating Sites cookie is used to clean up all Participating sites computers PalGov © 2011 43
  44. 44. Disadvantages of MS Passport ?• Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users.• Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies.• Also the protocol used by Passport was developed by Microsoft therefore was not an international standard.• Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID PalGov © 2011 44
  45. 45. Example 2: Shibboleth• Internet2 consortium project• Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site• provides users access to remote resources PalGov © 2011 45
  46. 46. Shibboleth Access Stages• Obtaining an authentication assertion for a user from his home site (IdP)• Using this to get a set of attribute assertions for the user• The two messages can be combined into one exchange to make the protocol more efficient PalGov © 2011 46
  47. 47. User Authentication using Shibboleth [2]Identity Provider Authentication WAYF Web Service Service 5. SHIB SP Signed Authn User Assertion 6. Attribute Authority PalGov © 2011 47
  48. 48. The WAYF Service PalGov © 2011 48
  49. 49. Authorization using Shibboleth [2]AuthnService Web Service User 10. SHIB SP 9. Attributes Authz service AAServerSHIB IdP PalGov © 2011 49
  50. 50. Shibboleth disadvantages• Single attribute authority to the service provider• Subject to phishing attacks.• No single sign off• Credentials can be stolen from a browser and used by an imposter.• Shibboleth cannot be used for services that need to know who the user is for service personalisation. PalGov © 2011 50
  51. 51. Bibliography1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, Lecture Notes by David Chadwick 2011, True-Trust Ltd.3. PalGov © 2011 51
  52. 52. Summary• In this session we discussed the following: – Federated Identity Management with different examples. PalGov © 2011 52
  53. 53. Thanks Dr. Radwan Tahboub PalGov © 2011 53