Cloudcard2

Avoco Secure,[object Object],The I-Card Cloud Selector,[object Object],CloudCard,[object Object]

An introduction to Avoco’s fully Cloud based I-Card Selector, CloudCard,[object Object],A demonstration of the logon process using the Cloud selector and a shared secret,[object Object],A demonstration of the extended use of Information Cards:,[object Object],Digital signing in the Cloud using Information Cards,[object Object],Access control of documents using Information Cards,[object Object],What you will see today,[object Object]

A fully Cloud based Information Card selector,[object Object],A leap forward in Information Card usability,[object Object],Bypasses the world of Windows desktops,[object Object],Designed to have similar functionality to Windows CardSpace, e.g.,[object Object],Personal cards can be created,[object Object],Cards can be imported,[object Object],Cards can be backed up,[object Object],Works with standard and auditing cards – not yet tested with others e.g. Relationship and Signalling cards,[object Object],Like CardSpace, token encryption is left to IdP for auditing cards,[object Object],CloudCard: What is it?,[object Object]

Usability benefits include:,[object Object],Universal access to your Information Cards,[object Object],True zero footprint for end users – no plug-ins, ActiveX, downloads, etc.,[object Object],Access from normal desktops/laptops as well as phones/mobile devices,[object Object],Test Implementation Site: https://www.secure2cardspace.com,[object Object],Why Bother?,[object Object]

Extensibility: Modular design permits simple use of alternative login protocols, etc.,[object Object],Portability: Written in PHP ∴ easy to port to other languages such as Java (if needed),[object Object],Security: Incorporates anti-phishing technology through shared-secret log in control,[object Object],Security: SSL - MITM attacks less feasible,[object Object],Standards: HTML spec to be submitted as standard ,[object Object],Nitty Gritty,[object Object]

CloudCard called as a post from RP web page:,[object Object],<a href="https://www.secure2cardspace.com/CloudCardA/CardView.php?ampIssuer=www.secure2cardspace.com&RequiredClaims=http....,[object Object],Link specifies entry point to selector, required card issuer, claims, etc., like calling a desktop selector.,[object Object],Additionally certificate of RP is included. ,[object Object],RP Use of CloudCard,[object Object]

Used to provide anti-phishing of the I-Card web service account,[object Object],User chooses a photo before logging into their account,[object Object],If correct photo displayed, user can log in knowing the site is genuine,[object Object],A photo always presented to prevent guessing username,[object Object],More on using photos as a shared secret ,[object Object],Sir Henry No-Tail,[object Object]

What’s to stop Phisher from Relaying?,[object Object],1. Generate phishing page,[object Object],Phishing server (PS),[object Object],2. Username submitted,[object Object],CS Backend,[object Object],3. PS submits username to CS backend,[object Object],4. PS gets image from response,[object Object],5. Correct image set in fake password entry page,[object Object]

Session key with real site ,[object Object],1. Create page and setup session key,[object Object],CS Backend,[object Object],2. Username submitted,[object Object],with session key data,[object Object],3. Valid Session key: Image returned,[object Object]

Session key with Phishing Site,[object Object],1. Generate phishing page,[object Object],Phishing server (PS),[object Object],2. Username submitted,[object Object],CS Backend,[object Object],3. PS submits username to CS backend (invalid session key),[object Object],4. No response,[object Object],5. Cannot set correct image,[object Object]

No protection against desktop Trojan / virus (but then entire system is potentially compromised including desktop selector),[object Object],Weaknesses,[object Object]

Use your preferred login scheme e.g. OpenID.,[object Object],If you don’t like this...,[object Object]

Face recognition and recognition of familiar objects is part of an acquired evolutionary trait that helps us survive,[object Object],We are good at it,[object Object],We place trust in our ability to use face recognition and object recognition,[object Object],We use processes of cheat recognition all the time, everyday, to interact with others,[object Object],An identity system must mesh real world me with digital me,[object Object],We must use existing human traits when designing the system ,[object Object],Human Beings, Digital Identity and Pictures of Familiar Things,[object Object]

If you’re interested in the research into cheat recognition and similar:,[object Object],Cartwright, J 2000. Evolution & Human Behaviour. Palgrave,[object Object],Daly, M & Wilson, MI 1999. Human evolutionary psychology and animal behaviour,[object Object],Cosmides, L and Tooby, University of California at Santa Barbara,[object Object],http://www.psych.ucsb.edu/research/cep/primer.html,[object Object], http://www.psych.ucsb.edu/research/cep/papers/TOMbroadnarrow.pdf,[object Object],Further Reading,[object Object]

The Avoco Cloud Selector is modular, so,[object Object],Can choose to use a myriad of authentication techniques – this presentation shows one,[object Object],Important not to forget the big picture:,[object Object],Usability – for a consumer as well as business audience,[object Object],Represents the real world me in a familiar way,[object Object],I am me because of these reasons (claims)…,[object Object],Can be used not just for logging into web sites,[object Object],Identity is more than just access control,[object Object],Authentication, Authentication or a Bigger Picture,[object Object]

Current Developments,[object Object],Authentication:,[object Object],Digital certificate,[object Object],OpenID,[object Object],LiveID,[object Object],Card authentication specified by RP,[object Object],e.g. only a card backed by X509 can be selected,[object Object],Seamless upload of cards from IdP to Selector – transparent management for users,[object Object]

A system for issuing OpenID’s with an Information Card ,[object Object],Links the two ID system – best of both worlds,[object Object],OpenID attributes can be set as a Information Card Claim ,[object Object],Information card can be authenticated by that OpenID,[object Object],OpenID linked to the extended claims system of the Information Card,[object Object],Best of each to create a symbiotic ID system,[object Object],Futures: Information cards and OpenID: SymbioticID (SymID),[object Object]

Requires additional HTML / JavaScript,[object Object],Recommended for web pages to allow user to select a Cloud Selector and Desktop Selector where appropriate / available.,[object Object],How are multiple Selectors to be addressed?,[object Object],Preconfigured to a single Selector,[object Object],Preconfigured dropdown list,[object Object],Dynamic list populated from discovery service.,[object Object],Cloud Selectors: Adoption: ,[object Object]

Extending the Uses of Information Cards,[object Object],Digital Signing in the Cloud,[object Object]

Digital certificates are user-unfriendly and unpopular,[object Object],People don’t like to install software, including browser plug-ins,[object Object],Current solutions for signing on-line forms are open to denial of signing caused by only including form text in signature,[object Object],Therefore, to encourage digital signing, these issues must be addressed,[object Object],Why aren’t we all digitally signing?,[object Object]

Avoco Secure have developed first truly Cloud based digital signing,[object Object],Can be used on:,[object Object],On any operating system,[object Object],Using any browser ,[object Object],From desktops, laptops, mobile devices, phones and so on,[object Object],Signing does not require user to have X509, but standard PKCS#7 signature produced.,[object Object],Nothing to install – fully Cloud based.,[object Object],Non-repudiation addressed.,[object Object],Signing in the Cloud,[object Object]

Always a problem to identify the signer,[object Object],Avoco – generate repeatable RSA key pair from ID info e.g.,[object Object],Information Card claims,[object Object],OpenID attributes,[object Object],ATM Card numbers,[object Object],Passwords,[object Object],etc., etc.,[object Object],Exact data specified by host,[object Object],Key pair -> transient X509 used to sign with,[object Object],Cert and key pair destroyed after signing,[object Object],Digital Signing and Identity,[object Object]

Image of the completed form incorporated into the digital signature,[object Object],Non-Repudiation of Signature,[object Object]

Incorporates timestamp (RFC3161),[object Object],Emails signature to user,[object Object],Signature verifiable by common tools as well as Avoco on-line verifier,[object Object],Other,[object Object]

Demo of CloudCard with Cloud Signing Demo,[object Object]

Extending the Uses of Information Card,[object Object],Controlling Access and Applying Usage Policies to Documents and Emails,[object Object]

Controlling access to documents, emails using Identity Information from Information Cards,[object Object],secure2trust,[object Object],secure2email,[object Object],secure2access,[object Object],Claims used to:,[object Object],Control document and email access,[object Object],Apply usage policies, post access,[object Object],Done in a content centric manner,[object Object],Security is persistent across perimeters,[object Object],And there’s more…,[object Object]

Demo of document access control and policy application,[object Object]

Thanks for your time,[object Object],Susan Morrow,[object Object],Head of Product Development,[object Object],Avoco Secure,[object Object],susan.morrow@avocosecure.com,[object Object]

Cloudcard2

Cloudcard2

Recommended

More Related Content

Recently uploaded

Recently uploaded(20)

Featured

Featured(20)

Cloudcard2

Editor's Notes