Re-using existing PKIs for online Identity Management


Published on

Using ePassports with Information Card. Presented at RSA Conference Europe 2009.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 14.45
  • This is the “apply” slide.
  • 14.50
  • Identity is necessary (a driver) for online services. Today’s Internet user no longer uses nick names, but publishes identity information on social network or blog. Users expect to be in control over who gets what attributes, though.
  • Checking credentials of C requires RP to trust IdP Controlled release of attributes about C’s identity requires C to trust IdP
  • To counter last drawback: implement identifier with a tamper-proof token (smart card). Example of Online IdP: InfoCard, Example of offline IdP: ePassport.
  • User-centric as opposed to IdP-centric OpenID and InfoCard different communities / cultures. Technically browser vs. dedicated client. Dedicated client offers more flexibility. OpenID seems to have more support both in terms of number of IdPs and number of RPs.
  • MS learned from MS passport.
  • Managed cards: not just attributes kept at IdP. Both client and IdP need to be online for transaction.
  • 15.10
  • BAC: “basic” because access key is based on date-of-birth, date-of-expiry, document number. EAC: issuing country limits access to its citizen’s biometric data by issuing certificates to trusted countries.
  • Google alert found root certificates for 12 countries: Austria, Czech Republic, Finland, France, Germany, Greece, Hungary, Monaco, Netherlands, Slovenia, Spain, Switzerland.
  • 15.20
  • IdP translates DoB to “over 18” to be sent to RP.
  • The red stuff is what we added.
  • EAC: most ePassport issuing countries keep basic card holder data in DG1 (only protected by BAC) User needs to trust IdP with respect to privacy RP needs to trust IdP with respect to attribute translation (doesn’t get to see signed DG)
  • 15.30
  • Different role of IdP: Attributes not stored at IdP but in token of user Possibility for privacy protection by translating “raw” attributes Would ideal: privacy protection in ePassport, while still be able to send “signed” attributes to RP
  • 15.35
  • Re-using existing PKIs for online Identity Management

    1. 1. Re-using existing PKIs for online Identity Management Martijn Oostdijk Novay 22/10/09 | Session ID: 305 Classification: Intermediate
    2. 2. Agenda Electronic Passports A short introduction to Identity 2.0 Using the ePassport PKI for online IdM Conclusions
    3. 3. How to apply what you learn here? <ul><li>I will demonstrate how third parties (you?) can piggyback “traditional” PKI infrastructure to facilitate your organization’s IdM </li></ul><ul><li>You are invited to come and discuss pros and cons of the combination of PKI and user-centric IdM </li></ul><ul><li>You will understand the risks involved and benefits of this combination, and be able to judge whether it is cost-effective for your organization </li></ul>Educate + Learn = Apply
    4. 4. An Introduction to Identity 2.0
    5. 5. Web / Identity 2.0 means… <ul><li>“ Everybody knows you’re not a dog.” </li></ul>
    6. 6. An attempt to define “Identity” <ul><li>Identity is what you and others claim about you </li></ul><ul><li>In real life, whether you trust a claim </li></ul><ul><ul><li>Depends on context, </li></ul></ul><ul><ul><li>Depends on “authorities” or “Identity Providers” </li></ul></ul><ul><ul><ul><li>parents, school, government </li></ul></ul></ul><ul><ul><li>Depends on “Identity Providers by proxy” </li></ul></ul><ul><ul><ul><li>signed note, diploma, passport, driver’s license </li></ul></ul></ul><ul><li>On the Internet there is little context </li></ul><ul><li>Identity Providers needed for trust </li></ul>
    7. 7. Identity Management Would like to use service Facilitates this process by - checking credentials of C - controlled release of attributes about C Client (C) Relying Party (RP) Identity Provider (IdP)
    8. 8. Online or offline IdP? <ul><li>Online IdP </li></ul><ul><li>Redirect RP to IdP </li></ul><ul><li>Drawback: single point of failure </li></ul><ul><li>Drawback: infrastructure cost </li></ul><ul><li>Drawback: privacy? </li></ul><ul><li>Offline IdP </li></ul><ul><li>IdP signed an identifier for client to present to RP </li></ul><ul><li>No single point of failure </li></ul><ul><li>Drawback: revocation </li></ul><ul><li>No need to trust IdP w.r.t. privacy </li></ul><ul><li>Drawback: can we trust user / user’s PC to store identifier? </li></ul>
    9. 9. What is Identity 2.0? <ul><li>Identity 2.0 is User-centric Identity </li></ul><ul><li>The user is in control over what information is shared with RP </li></ul><ul><li>Two standards are popular: </li></ul><ul><ul><li>OpenID </li></ul></ul><ul><ul><li>Information Card </li></ul></ul><ul><li>Hot or hype? (Like everything 2.0?) </li></ul><ul><li>We’ll focus on Information Card here </li></ul>
    10. 10. Laws of Identity 2.0 <ul><li>By Kim Cameron of Microsoft </li></ul><ul><ul><li>User control </li></ul></ul><ul><ul><li>Minimal disclosure, constrained purpose </li></ul></ul><ul><ul><li>Justifiable parties </li></ul></ul><ul><ul><li>Directed identity </li></ul></ul><ul><ul><li>Pluralism of operators and technologies </li></ul></ul><ul><ul><li>Human integration </li></ul></ul><ul><ul><li>Consistent experience across contexts </li></ul></ul><ul><li>Explained for dummies: </li></ul><ul><li>People using computers should be in control of giving out information about themselves, just as they are in the physical world. </li></ul><ul><li>The minimum information needed for the purpose at hand should be released, and only to those who need it. Details should be retained no longer than necesary. </li></ul><ul><li>It should NOT be possible to automatically link up everything we do in all aspects of how we use the Internet. A single identifier that stitches everything up would have many unintended consequences. </li></ul><ul><li>We need choice in terms of who provides our identity information in different contexts. </li></ul><ul><li>The system must be built so we can understand how it works, make rational decisions and protect ourselves. </li></ul><ul><li>Devices through which we employ identity should offer people the same kinds of identity controls - just as car makers offer similar controls so we can all drive safely. </li></ul>
    11. 11. Information Card <ul><li>Open standard (sort of) </li></ul><ul><li>Self-signed cards: Attributes kept at client </li></ul><ul><li>Managed cards: Attributes kept at IdP </li></ul><ul><li>Windows CardSpace is Microsoft’s implementation </li></ul><ul><li>To prevent phishing: GUI dialog leaves context of OS </li></ul>
    12. 12. Electronic Passports
    13. 13. e Passport <ul><li>Issued by government, standardized by ICAO </li></ul><ul><li>Contains chip with </li></ul><ul><ul><li>Information about card holder </li></ul></ul><ul><ul><li>Mechanism to verify integrity of that information </li></ul></ul><ul><ul><li>Mechanism to verify authenticity of chip </li></ul></ul><ul><ul><li>Mechanism to communicate confidentially </li></ul></ul><ul><li>Tested and found “secure” up to EAL4+ </li></ul><ul><li>Intended for verification by border official’s equipment </li></ul><ul><li>(Not intended for online verification) </li></ul>
    14. 14. e Passport Chip Logo MRZ Antenna
    15. 15. Logical Data Structure hashes DGs + signature issuing state SOd public key for Active Authentication DG15 [some people with really long names] [ DG11 ] photo face DG2 name, etc, a.o. date of birth and BSN DG1 index of DGs present COM
    16. 16. ePassport security mechanisms <ul><li>CONTROLS: </li></ul><ul><li>Basic Access Control </li></ul><ul><li>Passive Authentication </li></ul><ul><li>Active Authentication </li></ul><ul><li>Extended Access Control </li></ul><ul><li>Biometry </li></ul><ul><li>THREATS: </li></ul><ul><li>Skimming & tracking (privacy) </li></ul><ul><li>Eavesdropping (privacy) </li></ul><ul><li>Altering (authenticity, integrity) </li></ul><ul><li>Cloning (authenticity) </li></ul><ul><li>Disclosure of biometrics (confidentiality) </li></ul><ul><li>Look-a-like fraud </li></ul>
    17. 17. e Passports form a worldwide PKI! <ul><li>Passive authentication means: </li></ul><ul><ul><li>Data groups signed by “document signer” </li></ul></ul><ul><ul><li>Document signer’s certificate signed by “country signer” </li></ul></ul><ul><li>Country signer’s certificate is given to other countries so that they can verify integrity and authenticity </li></ul><ul><ul><li>Sometimes on government’s web site </li></ul></ul><ul><ul><li>In that case, third parties can read content after performing BAC </li></ul></ul><ul><li>Can ePassports be used in Identity 2.0 scheme such as Information Card? </li></ul>
    18. 18. Using the ePassport PKI for online IdM
    19. 19. ePassport + CardSpace
    20. 20. Information Card protocol 1. Access 2. Policy 3. Filter cards 4. Select card 5. Request token 6. Give token 7. Give token 5/6. BAC + AA + DG1 + DG15 + SOd IdP Client RP User
    21. 21. Result <ul><li>An online IdP can verify a user’s ePassport remotely </li></ul><ul><ul><li>If the ePassport supports Active Authentication, </li></ul></ul><ul><ul><li>and Basic Access Control (and BAC keys known to the IdP), </li></ul></ul><ul><ul><li>and the country signing certificate is known to the IdP </li></ul></ul><ul><li>If data is protected by EAC </li></ul><ul><ul><li>ePassport issuing countries can limit access to selected IdPs </li></ul></ul><ul><li>The IdP can translate attributes </li></ul><ul><ul><li>To protect privacy </li></ul></ul><ul><ul><li>E.g. date-of-birth becomes “currently over 18 years of age” </li></ul></ul><ul><ul><li>User still in control of what gets sent to RP </li></ul></ul>
    22. 22. Conclusions
    23. 23. Conclusions <ul><li>Trend: Identity 2.0 (user-centric) </li></ul><ul><li>Trend: governments rolling out massive worldwide PKI </li></ul><ul><li>Such a PKI is very 1.0, but can be used in an Identity 2.0 scheme </li></ul><ul><ul><li>Although role of IdP is somewhat different: </li></ul></ul><ul><li>A trusted online IdP is good for privacy </li></ul><ul><ul><li>IdP translates “raw” attributes (such as date-of-birth) to more privacy friendly attributes (such as “currently over 18 years of age”) </li></ul></ul><ul><ul><li>Combining offline and online identity management offers some flexibility in terms of privacy protection </li></ul></ul>
    24. 24. Questions?