Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloudcard2

386 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Cloudcard2

  1. 1. Avoco Secure<br />The I-Card Cloud Selector<br />CloudCard<br />
  2. 2. An introduction to Avoco’s fully Cloud based I-Card Selector, CloudCard<br />A demonstration of the logon process using the Cloud selector and a shared secret<br />A demonstration of the extended use of Information Cards:<br />Digital signing in the Cloud using Information Cards<br />Access control of documents using Information Cards<br />What you will see today<br />
  3. 3. A fully Cloud based Information Card selector<br />A leap forward in Information Card usability<br />Bypasses the world of Windows desktops<br />Designed to have similar functionality to Windows CardSpace, e.g.<br />Personal cards can be created<br />Cards can be imported<br />Cards can be backed up<br />Works with standard and auditing cards – not yet tested with others e.g. Relationship and Signalling cards<br />Like CardSpace, token encryption is left to IdP for auditing cards<br />CloudCard: What is it?<br />
  4. 4. Usability benefits include:<br />Universal access to your Information Cards<br />True zero footprint for end users – no plug-ins, ActiveX, downloads, etc.<br />Access from normal desktops/laptops as well as phones/mobile devices<br />Test Implementation Site: https://www.secure2cardspace.com<br />Why Bother?<br />
  5. 5. Extensibility: Modular design permits simple use of alternative login protocols, etc.<br />Portability: Written in PHP ∴ easy to port to other languages such as Java (if needed)<br />Security: Incorporates anti-phishing technology through shared-secret log in control<br />Security: SSL - MITM attacks less feasible<br />Standards: HTML spec to be submitted as standard <br />Nitty Gritty<br />
  6. 6. CloudCard called as a post from RP web page:<br />&lt;a href=&quot;https://www.secure2cardspace.com/CloudCardA/CardView.php?ampIssuer=www.secure2cardspace.com&amp;RequiredClaims=http....<br />Link specifies entry point to selector, required card issuer, claims, etc., like calling a desktop selector.<br />Additionally certificate of RP is included. <br />RP Use of CloudCard<br />
  7. 7. Used to provide anti-phishing of the I-Card web service account<br />User chooses a photo before logging into their account<br />If correct photo displayed, user can log in knowing the site is genuine<br />A photo always presented to prevent guessing username<br />More on using photos as a shared secret <br />Sir Henry No-Tail<br />
  8. 8. What’s to stop Phisher from Relaying?<br />1. Generate phishing page<br />Phishing server (PS)<br />2. Username submitted<br />CS Backend<br />3. PS submits username to CS backend<br />4. PS gets image from response<br />5. Correct image set in fake password entry page<br />
  9. 9. Session key with real site <br />1. Create page and setup session key<br />CS Backend<br />2. Username submitted<br />with session key data<br />3. Valid Session key: Image returned<br />
  10. 10. Session key with Phishing Site<br />1. Generate phishing page<br />Phishing server (PS)<br />2. Username submitted<br />CS Backend<br />3. PS submits username to CS backend (invalid session key)<br />4. No response<br />5. Cannot set correct image<br />
  11. 11. No protection against desktop Trojan / virus (but then entire system is potentially compromised including desktop selector)<br />Weaknesses<br />
  12. 12. Use your preferred login scheme e.g. OpenID.<br />If you don’t like this...<br />
  13. 13. Face recognition and recognition of familiar objects is part of an acquired evolutionary trait that helps us survive<br />We are good at it<br />We place trust in our ability to use face recognition and object recognition<br />We use processes of cheat recognition all the time, everyday, to interact with others<br />An identity system must mesh real world me with digital me<br />We must use existing human traits when designing the system <br />Human Beings, Digital Identity and Pictures of Familiar Things<br />
  14. 14. If you’re interested in the research into cheat recognition and similar:<br />Cartwright, J 2000. Evolution & Human Behaviour. Palgrave<br />Daly, M & Wilson, MI 1999. Human evolutionary psychology and animal behaviour<br />Cosmides, L and Tooby, University of California at Santa Barbara<br />http://www.psych.ucsb.edu/research/cep/primer.html<br /> http://www.psych.ucsb.edu/research/cep/papers/TOMbroadnarrow.pdf<br />Further Reading<br />
  15. 15. The Avoco Cloud Selector is modular, so<br />Can choose to use a myriad of authentication techniques – this presentation shows one<br />Important not to forget the big picture:<br />Usability – for a consumer as well as business audience<br />Represents the real world me in a familiar way<br />I am me because of these reasons (claims)…<br />Can be used not just for logging into web sites<br />Identity is more than just access control<br />Authentication, Authentication or a Bigger Picture<br />
  16. 16. Current Developments<br />Authentication:<br />Digital certificate<br />OpenID<br />LiveID<br />Card authentication specified by RP<br />e.g. only a card backed by X509 can be selected<br />Seamless upload of cards from IdP to Selector – transparent management for users<br />
  17. 17. A system for issuing OpenID’s with an Information Card <br />Links the two ID system – best of both worlds<br />OpenID attributes can be set as a Information Card Claim <br />Information card can be authenticated by that OpenID<br />OpenID linked to the extended claims system of the Information Card<br />Best of each to create a symbiotic ID system<br />Futures: Information cards and OpenID: SymbioticID (SymID)<br />
  18. 18. Requires additional HTML / JavaScript<br />Recommended for web pages to allow user to select a Cloud Selector and Desktop Selector where appropriate / available.<br />How are multiple Selectors to be addressed?<br />Preconfigured to a single Selector<br />Preconfigured dropdown list<br />Dynamic list populated from discovery service.<br />Cloud Selectors: Adoption: <br />
  19. 19. Extending the Uses of Information Cards<br />Digital Signing in the Cloud<br />
  20. 20. Digital certificates are user-unfriendly and unpopular<br />People don’t like to install software, including browser plug-ins<br />Current solutions for signing on-line forms are open to denial of signing caused by only including form text in signature<br />Therefore, to encourage digital signing, these issues must be addressed<br />Why aren’t we all digitally signing?<br />
  21. 21. Avoco Secure have developed first truly Cloud based digital signing<br />Can be used on:<br />On any operating system<br />Using any browser <br />From desktops, laptops, mobile devices, phones and so on<br />Signing does not require user to have X509, but standard PKCS#7 signature produced.<br />Nothing to install – fully Cloud based.<br />Non-repudiation addressed.<br />Signing in the Cloud<br />
  22. 22. Always a problem to identify the signer<br />Avoco – generate repeatable RSA key pair from ID info e.g.<br />Information Card claims<br />OpenID attributes<br />ATM Card numbers<br />Passwords<br />etc., etc.<br />Exact data specified by host<br />Key pair -&gt; transient X509 used to sign with<br />Cert and key pair destroyed after signing<br />Digital Signing and Identity<br />
  23. 23. Image of the completed form incorporated into the digital signature<br />Non-Repudiation of Signature<br />
  24. 24. Incorporates timestamp (RFC3161)<br />Emails signature to user<br />Signature verifiable by common tools as well as Avoco on-line verifier<br />Other<br />
  25. 25. Demo of CloudCard with Cloud Signing Demo<br />
  26. 26. Extending the Uses of Information Card<br />Controlling Access and Applying Usage Policies to Documents and Emails<br />
  27. 27. Controlling access to documents, emails using Identity Information from Information Cards<br />secure2trust<br />secure2email<br />secure2access<br />Claims used to:<br />Control document and email access<br />Apply usage policies, post access<br />Done in a content centric manner<br />Security is persistent across perimeters<br />And there’s more…<br />
  28. 28. Demo of document access control and policy application<br />
  29. 29. Thanks for your time<br />Susan Morrow<br />Head of Product Development<br />Avoco Secure<br />susan.morrow@avocosecure.com<br />

×