1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board,...
-
Upload
russell-perry -
Category
Documents
-
view
220 -
download
0
Transcript of 1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board,...
1
Authentication Trustworthiness
The Next Stage in Identity-BasedAccess and Security
Tom Board, NUIT
2
Overview
• What is authentication trustworthiness and why is it important?
• Can it be quantified?
• Can it be categorized?
• How should business processes use it?
• Summary
• Next steps
3
What is Authentication?
• From a Business Viewpoint– Authentication is a fundamental part of
security– Authentication automatically associates a
person with his or her actions– If everyone were trustworthy, then
authentication would not be necessary
• From a Technical Viewpoint– There is a range of techniques available
4
What is Authentication Trustworthiness?
• Authentication trustworthiness quantifies the combined confidence in:– The identification of the principal– The issuance of the credential– The secure management of the credential– The management of the principal’s standing
5
Trustworthiness is Important
• To enable federated relationships with external entities such as:– Research or academic partners– Governmental agencies– Suppliers and vendors
• To secure information for the use of those intended to see or change it.
6
How is Authentication Trustworthiness Established?
• Identification of the principal– What proofs are needed?– How can proofs be checked?
• Issuance of the credential– Is the credential delivered in-person, through
the U.S. mail or otherwise?– Does distributed management increase
security?
7
Proofs of Existence & Identity
Birth Ce rtificateo f Principal
SSN
Dr ive r 's L ice ns e
U.S. M ail toPrincip al
Atte station o fpare n t o rguard ian
Passport
Ba nk AccountCre ditCard
Colle geApp licatio n
Employme n tAgre e me nt
HR Re cord
Room ke y
SES Re cord
W ildCard
8
What Factors Affect Authentication Trustworthiness Over Time?
• Management of the principal’s standing– How are assertions of the principal’s existence and
affiliation refreshed?– What subtleties of attribute change can be detected
and thereby affect business processes?
• Management of the credential– Is the credential inherently vulnerable? Can the
credential be used without the principal’s knowledge?– Can administrative staff compromise the credential?– Is the credential automatically disabled for a principal
with an unknown status?
9
Northwestern’s Identity Structure
Authority
IdentityM anagementPrincipal
id e n tifica tio n
Identity
Attributes BusinessRules
CredentialService
AuthenticationService
issu a n ce
issu a n ce
Portal
a u th e n tica tio n
Identifier
ma in te n a n ce
Cre d e n tialM ain te nan ce
acc
ess
att
em
pt
(sp
oo
fing
, m
isu
se,
rece
nt
tam
pe
rin
g)
TargetService
F e d e rationGate way
F e d e rationGate wayfe d e ra tio n
access a ttemp t
TargetService
a u th o r iza tio n
a sse rtio n
ma n a g e me n t
issu a n ce
cre
atio
n/m
ain
ten
an
ce
a u th o r iza tio n
10
TermsIdentification Establishing that the principal is, in fact, the exact entity being
represented
Standing Assertion by an authority which reflects ongoing affiliations
Issuance Conveying an assigned credential to the exact principal – and only that principal
Management Continuing assertion by authority which controls attributes
Misuse Intentional use of the credential by the principal to gain access for a third party
Tampering Using administrative functions to gain control of the credential and fraudulently represent the principal
Spoofing Intentional misguidance of the authentication system into believing that a valid credential has been presented and thus fraudulently represent the principal
11
Can AuthenticationTrustworthiness be Quantified?
Trustauthentication( ) = Confidenceidentity( ) * Confidencecredential( )
Confidenceidentity ( ) = (1-Pmisidentification( )) * (1-Pmisstanding( ))
Confidencecredential ( ) = (1-Pmisissuance( )) * (1-Pmismanagement( )) * (1-
Pmisuse( )) * (1-Pspoofing( )) * (1-Precent tampering( ))
12
Example: NetIDNetID
Trust in authentication 91.3236%Confidence in identity 97.0299%
credential 94.1190%Probability of misidentification 1.0000%
misissuance 1.0000%misuse 3.0000%spoofing 1.0000%recent tampering 1.0000%mismanagement 1.0000%misstanding 1.0000%
(All figures are for illustration purposes only and do not reflect controlled measurements)
13
Improving Trustworthiness– Multi-factor Authentication
• The improved trustworthiness of two-factor authentication comes from multiplying the sirk probabilities for the independent credential technologies. E.g. for two factors A and B:
Pspoofing(A&B) = Pspoofing(A) * Pspoofing(B)
• If management processes are independent, then this multiplicative property would apply to both Pmisidentification( ) and Pmisissuance( )
• But, Pmisuse(A&B) = min(Pmisuse(A), Pmisuse(B))
14
Example: NetID & OTPNetID
& NetIDTrust in authentication 91.3236% 95.6662% 96.0460%Confidence in identity 97.0299% 98.8021% 98.9980%
credential 94.1190% 96.8261% 97.0181%Probability of misidentification 1.0000% 0.1000% 0.0010%
misissuance 1.0000% 0.1000% 0.0010%misuse 3.0000% 2.0000% 2.0000%spoofing 1.0000% 0.1000% 0.0010%recent tampering 1.0000% 0.1000% 0.0010%mismanagement 1.0000% 1.0000% 1.0000%misstanding 1.0000% 1.0000% 1.0000%
OTP
(All figures are for illustration purposes only and do not reflect controlled measurements)
15
Could Trustworthiness by Classified?
• Federal government is using “some”, “high”, and “very high” confidence levels
• EduCause and Internet2 are looking at classifications
• Local definitions could be created and recorded in the LDAP Registry
16
Example Trustworthiness Classifications
• NONE – self-created identity
• LOW – Third-party manual assertion
• NORMAL – Authoritative assertion
• HIGH – In-person, photo-id check
• VERY HIGH – HIGH plus further background checks
• An internal system of “notaries” could serve to raise trustworthiness to HIGH
17
Probability Profiles for Classifications
NetID & PasswordNONE LOW NORMAL HIGH VERY HIGH
Probability of …Misidentification >> 0 0 0 0 0Misissuance >> 0 > 0 0 0 0Recent tampering >> 0 0 0 0 0Misstanding >> 0 > 0 0 0 0Spoofing 0 0 0 0 0Misuse > 0 > 0 0 0 0Mismanagement 0 0 0 0 0
Trustworthiness Classification
>> 0 much greater than zero
> 0 greater than zero
0 approximately zero
0 arbitrarily close to zero
0 exactly zero
18
Probability Profiles for Classifications
OTP TokenNONE LOW NORMAL HIGH VERY HIGH
Probability of …Misidentification Misissuance 0 0Recent tampering Misstanding Spoofing Misuse Mismanagement 0 0 0
Trustworthiness Classification
>> 0 much greater than zero
> 0 greater than zero
0 approximately zero
0 arbitrarily close to zero
0 exactly zero
19
Services Based Upon Classification
NONE LOW NORMAL HIGH VERY HIGH
Global Auth yes yes yes yes yesApply for admission yes yes yes yes yesNon-credit registration yes yes yes yes yesNetwork Login yes yes yes yesWireless VPN yes yes yes yesNetwork VPN yes yes yes yesSchool/Div AD yes yes yes yesNU e-mail hosting yes yes yes yesFor-credit registration yes yes yes"NU Community" yes yes yesFed. Academics yes yes yesFed. Business yes yes yesFull CAESER SlfSvc yes yes yesUser Financials SlfSvc yes yes yesHRIS SlfSvc yes yes yesFed. Government yes / 2nd yes / 2ndFed. Research yes / 2nd yes / 2ndDept HRIS/SES yes / 2nd yes / 2ndApprove Financials yes / 2nd yes / 2ndAdmin HRIS/SES yes / 2ndAdmin Financials yes / 2nd
Trustworthiness Classification
20
How Should Business Processes Use Trustworthiness?
• All security frameworks balance University business risks against user convenience and management costs
• Requiring high levels of trustworthiness will require added management effort and cost – requirements should be targeted
• Sensitivity to the recent history of the credential will affect trustworthiness and avoid fraudulent use
21
How Should Business Processes Use Trustworthiness?
• Sensitivity to authentication trustworthiness reduces business risk– Processes to provision access should
consider trustworthiness• Identities able to grant access must be trustworthy• Identities granted access must be trustworthy
– Multi-factor authentication will be necessary for some set of applications
22
How Should Business Processes Use Trustworthiness?
• Sensitivity to authentication trustworthiness can assist with compliance– The initial identification and granting of
credentials may need to be bolstered to ensure compliance
– It will be necessary to create means to increase the trustworthiness of an identity and credential to transition users from high-convenience to compliance
23
Authentication Should Not Be Authorization
• Authorization is a separate step taken with knowledge of identity attributes
• Applications must determine which operations or access are authorized for an authenticated principal– Coarse-grained authorization takes place
within the network or access control systems– Fine-grained authorization takes place within
the application
24
Authentication Should Not Be Authorization
• Applications may choose to examine both trustworthiness and other attributes of the principal when making authorizing decisions– Affiliation to school or department– Changes in affiliation– Manually-asserted versus authority-asserted
25
Practical Outcomes
• For any University function, there is an implied trustworthiness requirement. These should be made explicit.
• Higher levels of trustworthiness will require face-to-face identification, proofs, and perhaps validation of proofs. Can we make this convenient? Should we?
• If multi-factor authentication is desirable, how should it be funded?
26
Summary
• Trustworthiness reflects our attention to process and will be important for compliance and federation
• Classes of trustworthiness can be defined and form the basis for new business policies
• Software must be modified to consider it• People must be prepared for some
dislocation because of it
27
Community Action Steps
• Convene a group to address identity policies.– Define trustworthiness categories– Match business function requirements and
convenience to trustworthiness– Define methods of raising trustworthiness
• Implement categories in IdM infrastructure• Modify systems to
– Require appropriate trustworthiness– Separate authorization from authentication