Identity A desiderata for the Next Generation Internet

presented by

Pat Burke and Christian LozaUniversity of North Texas

at the “Seminar II, Saturday October 6, 2005”

Identity A desideratafor the Next Generation Internet

presented by Patt Burke and Christian Loza

2

Biometric ID Problem Definition

Conventional password security is NOT secure because passwords tend to be:

Easily guessed Forgotten Written down in easily accessible locations Shared with a friend Common for a given user across a wide range of

applications/systems


3

Biometric ID Problem Definition

Biometric Identification is one possible solution to the user authentication problem

Biometric ID refers to verifying individuals based on their physical and behavioral characteristics such as face, fingerprint, hand geometry, iris, keystroke, signature, voice, and even body odor. [7]

Two proposed Biometric ID solutions will be presented:

Robust hashing with a one-way transformation [8] Multimodal Biometric ID [9]


4

Biometrics ID Problem Definition

Biometric data has some shortcomings: If compromised, cannot be reset

Storing of actual biometric templates should be avoided

Variability of biometric data precludes the use of exact matching hashing algorithms such as MD-5 and SHA-1 [8] “Fuzzy” logic must be employed in evaluating the

biometric input


5

Biometric ID Background

Enrollment and Authentication Process


6


KEY METRICS False Acceptance Rate

How many unauthorized individuals gain access due to biometric features similar to an authorized user MUST BE MINIMIZED to maintain security MUST BE ZERO for some security applications

False Rejection Rate How many authorized individuals are denied access

due to the inability to match their input with their biometric template. This is an inconvenience, but not a security problem


7


OTHER METRICS Time required for the enrollment process Time required for the verification process Computer resources utilized for the security

system Memory Algorithmic efficiency (CPU time)


8

Robust Hashing

Is it possible to design a robust hashing algorithm such that the hashes of two close inputs are judged identical while those inputs which are not so close will give completely different outputs?

“Features” of the biometric data are selected based upon the type of biometric data chosen

During enrollment, “enough” samples are acquired from each user to obtain a range value (2δ) for EACH feature value.


9

Robust Hashing

A unique hash value is then assigned to EACH feature and stored (encrypted) for verification

A Gaussian function is then fitted to the data for each feature which results in the assigned hashed output value.

The Gaussian function is then combined with “fake Gaussian peaks” to hide the true input, resulting in a non-invertable one-way transformation


10

Robust Hashing

TRUE GUASSIAN FUNCTION (red)Parameters of the Guassian non-invertable transforms are stored on “smartcards” of some sort which the user must present at authentication time.


11

Robust Hashing

USER AUTHENTICATION


12

Robust Hashing

Tested against the OLR Database of Faces available at http:/www.uk.research.att.com/facedatabase.html

Consists of 10 different images taken under extensively varying conditions of 40 distinct subjects

6 of the images for each individual was used in the enrollment phase

The remaining 4 were used in the test sets 20 features were selected Tests were conducted with 5% and 10% tolerance factors

for the inputs to account for variation in the non-enrolled faces


13

Robust Hashing

Tested against the OLR Database of Faces available at http:/www.uk.research.att.com/facedatabase.html

Consists of 10 different images taken under extensively varying conditions of 40 distinct subjects

6 of the images for each individual was used in the enrollment phase

The remaining 4 were used in the test sets 20 features were selected Tests were conducted with 5% and 10% tolerance factors

for the inputs to account for variation in the non-enrolled faces


14

Robust Hashing

TEST RESULTS

15 subjects were correctly identified on 4/4 images with a 10% tolerance factor.

FALSE REJECTION RATEHow many GOOD GUYS could not get in

FALSE ACCEPTANCE RATEHow many BAD GUYS COULD get in

1 subject was NEVER correctly identified using ANY of the 4 images with a 10% tolerance factor.

25 subjects WERE authenticated using at least 4 other individual’s credentials at a 10% tolerance factor.

12 subjects who were NEVER falsely admitted using ANY another person’s credentials with a 5% tolerance factor.


15

Multimodal

Description of the Dialog Communication System’s BioID commercial user-authentication system

In use in many systems worldwide Uses three different sources of biometric data

to achieve better accuracy than a single feature system

Voice – using a user-resetable “password” Lip Movement – using the same password Facial Data


16

Multimodal

During enrollment, biometric templates are collected for each biometric feature

For authentication, the system compares these templates against the biometric input

The client sets the recognition threshholds for each of the features independently to achieve the desired level of security. [9]


17

Multimodal

FACE PROCESSING [9]

Original image Face ModelEdge-extracted image

Face model overlaid on the edge-extracted image


18

Multimodal

FACE PROCESSING

Samples of extracted faces: BioID scales all faces to the same size and crops the images uniformly for easier comparison. This photo collection shows 12 individuals. Note the uniformity that the system achieves. [9]


19

Multimodal

TEST RESULTS Live Test using 150 individuals for 3 months “False-acceptance rate significantly below 1

percent, depending on the security level.


20

Pro’s and Con’s

Scalable – easy to add new users

Secure – lost or stolen ID card not likely to compromise security of the system

Flexible – can be set up using other features than fingerprints

ROBUST HASHINGCONPRO

Test results not good

Intelligent attacker may be able to fool system with brute force guessing

Much research left to make the system more secure (fewer FAR violations)


21

Pro’s and Con’s

Scalable – easy to add new users

Secure – lost or stolen ID card not likely to compromise security of the system

Flexible – feature values can be manipulated to meet security needs

Multimodal BioIDCONPRO

Stable product

Multiple Bio sources make it more secure


22

Conclusion

Biometrics is a current area of intense research Multiple Bio-sources should yield a more

desirable product


23

IDENTITY

Second Part:

Federated Systems, Identity Management


24

Desiderata

What we want Federate Identity across organizations

maintaining access rights and privileges Web-based Federated Identity integrated with

Web-based privilege management systems One identity, multiple roles across

organizations. Trust management and Information sharing between trusted organizations

Desiderata


25

Desiderata

NSF: About the Next generation Internet: In the context of the GENI Research Program

“Creating new core functionality: Going beyond existing paradigms of datagram, packet and circuit switching; designing new naming, addressing, and overall identity architectures, and new paradigms of network management;”

“Building higher-level service abstractions: Using, for example, information objects, location-based services, and identity frameworks;”

Desiderata


26

Desiderata

Microsoft Research: In the context of The Next Generation Internet

“.NET Building Block Services. A new family of highly distributed, programmable developer services that run across standalone machines, in corporate data centers and across the Internet. Services include Identity, Notification and Messaging, Personalization, Schematized Storage, Calendar, Directory, Search and Software Delivery.”

Desiderata


27

Federated Identity

Bhatti, Bertino and Ghafoor

SSO Single sign on Effective access control Decentralized model Authentication for estrangers Trust, Anatomy and Privacy Standardized Approach

Proposal

Towards Improved Federated Identity And Privilege Management System in Open Systems


28

Proposed Approach

Proposed ApproachProposal


29

Proposed Approach

The other approaches Earlier Authentication/Authorization mechanisms

(IAPM, XECB… etc). X.509 X.509 PKI + PMI Kerberos

Proposal > Other approaches


30

The Earlier approach

Proposal > The Earlier approach

Scheme #PasesProbably Secure

Assoc DataParallelizable

On-Line Patent-Free

IAPM 1

XECB 1

OCB 1

CCM 2

EAX 2

CWC 2

Helix 1

SOBER-128

1


31

Problems of Earlier Approaches

Proposal > Problems of all Traditional Approaches

Distributed Solution

ScalabilityDistributed

Privilege Management

Previous Authentication

Approaches

Ideal Solution


32

Credentials Based Systems

• Kerberos

Kerberos > Credentials Based Systems

Authorization? Privilege ? Distributed Scalable

Proposal

Kerberos


33


• Kerberos • Based on Tickets

• Centralized

• Initiates getting a initial ticket

• With the ticket, it can request services



34


• Kerberos • The authentication process can run in both Master and Slaves machines

• The slaves are read-only

• The KDBM manages changes of passwords. WHY?



35


• Kerberos • The changes can be introduced in the KDBM

• Each Kerberos has a realm master machine

• You can have additional master machines



36

Kerberos

CREDENTIALSBASED ON IDENTITY

CREDENTIALSBASED ON ROLES

I know WHO you are, therefore, I know what you are allowed to do.

I know WHAT role you are allowed to play

Authentication Authentication

Authorization Authorization

Kerberos Desiderata



37


• X.509

X.509 > Credentials Based Systems

Authorization? Privilege ? Distributed Scalable

Proposal

X.509 ? ?


38






BINDS Credentials to a KEY

BINDS Credentials to Role


X.509 Proposal


39






BINDS Credentials to a KEY

BINDS Credentials to Role


X.509 Proposal


40


• X.509 PKI + PMI



41


• X.509 PKI + PMI



42


• X.509 PKI + PMI

Authentication Schemes > Credentials Based Systems


43

Proposed Approach

Proposed Approach


44

Proposed Approach

Proposed Approach


45

Proposed Approach

XKMS, the four corner approachProposed Approach


46

Proposed Approach

Proposed Approach


47

Federated IdentityXML Public Protocols

SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations

can be compatible Web Services: Suited to work on browser

environments Federations: Can simplify Federation usability

Proposed Approach


48

Proposed Approach

Proposed Approach


49

Proposed Approach

XML Key Signature / Proposed Approach


50

Desiderata

1. Request page

2. Auto redirect

3. Redirect

4. Request credentials

5. Login

6. Redirect w/tickets in header

7. Request pagew/credentials

8. Set ticket

Roles

Proposed Approach


51

Conclusions

What we have (or will have) Federate Identity across organizations

maintaining access rights and privileges ? Web-based Federated Identity integrated with

Web-based privilege management systems ? One identity, multiple roles across

organizations. Trust management and Information sharing between trusted parties ?

Conclusions


52

Conclusions

What we have (or will have) Federate Identity across organizations

maintaining access rights and privileges Web-based Federated Identity integrated with

Web-based privilege management systems One identity, multiple roles across

organizations. Trust management and Information sharing between trusted parties

Conclusions


53

Questions

A Similar Distributed System is already in use and implemented. Can you tell which system we are talking about?

Can you tell the differences between the desired approach and the actual schema?

Can you point which are the features that have to change? (think about the actual problems)

Questions


54

References

1. J. Black, “Authenticated Encryption”, November 2003.

2. www.w3.org XKMS Specification

References


55

Introduction

The Internet has changed the way we do business forever.

In the cyberspace, our Identity has changed too, and a Digital Identity has emerged.

Identity can be defined as a set of characteristics that uniquely identifies us (or a digital entity)[1].


56

Introduction

CONCEPTS Identity: Set of characteristics that identifies a

given entity. Identification: Recognizing someone as a

specific individual. Authentication: Process to make sure the

Identification is valid. Authorization: Set of resources given to a

certain entity, based on the identity.


57

Introduction

In the physical world, users can be identified by physical characteristics, such as hair color, height, skin color, etc.

In the Internet, users are identified by set’s of information, such as SSN, Name, Credit Card number, Address, Phone number, etc.


58

Introduction

Most of the services has gone to the Internet Electronic Commerce Electronic Government Electronic Learning Electronic Marketing Electronic Publishing


59

Introduction

To interact in the Internet with this service providers, the people use their Digital Identity.


60

Introduction

One of the drawbacks from human centric electronic interactions is the fuziness of the image of the other partner over the network

?


61

Introduction

Ensuring security and privacy in a distributed communication system as the Internet is crucial.

Crimes related to Identity theft have become a major treat to the growth of the commerce over the Internet.


62

Introduction

Identity-related misuse and concerns[2]

Identity theft: Someone wrongfully obtains and uses other person’s personal data in some way that involves fraud or deception[3].

Malicious change of Information: Someone changes wrongfully personal information of somebody else or to himself to do harm or self benefit.

Secondary use: Somebody impersonates someone else for personal benefit.

And the list keeps growing


63

Federated IdentitySome facts

Below are some institutions and people believed to be victim’s of Identity theft.

Bill Gates CIA, NASA, Justice Department Wells Fargo Bank of America Ebay UNT?


64

Problem Definition

The Identity has bring more complexity to the business model

Any person may be using now multiple identities to access multiple services providers on the Internet

Multiples identities mean also redundant costs and increasing problems


65

Problem Definition

One of the technologies that has emerged to solve the increasing complexity of Identity management across multiple organization is the Federated Identity


66

Problem Definition

Federated Identity is a digital credential analogous to a country passport[4]

Trust negotiation model: Is the gradual interchange of credentials between two entities, with the goal to establish Trust, and finally exchanging resources

Our task is to review proposals of designs of an efficient scheme of such Federation interchange


67

Problem Definition

Different sets of information from the Identity may be needed by different organizations


68

Federated Identity

A

NameAddressPhone NumberPO BoxSSN

B

NameAddressPhone NumberPO BoxSSNCredit CardBilling Address

C

NameAddressPhone NumberPO BoxSSNCredit CardPassport Number

A

NameAddressPhone NumberPO BoxSSN

B

Credit CardBilling Address

C

Passport Number


69

Federated IdentityCredentials negotiation

Disclosure policies Credentials combinations are required for

disclosure of sensitive information Negotiation between User and Service

Providers, and among Service Providers.


70

Federated IdentityScalability

KEY CONCEPTS for Scalability of Federated Identity

Has to work with Browser as the client side software

Centralized Approach Identity or Capability-based credentials


71

Federated IdentityScalability


72

Federated IdentityPrivilege management

Both, Federated Identity and Privilege Management are cornerstones of a Management Framework

A mechanism for Federated Identity and Privilege Management should satisfy at least eight requirements:


73

Federated IdentityRequirements

1. SSO Single sign on

Persistency of user identity across the enterprise domains, and allows user to transfer their authorizations across multiple points of policy enforcement

2. Effective access control

The access control should be fine grained to dynamically evolve enterprise resources.


74


3. Decentralized model

The system should not rely on a centralized access point, instead, should be distributed

4. Authentication for estrangers

In the new distributed Internet environment, there is no more the concept of advanced knowledge of identities or capabilities.


75


5. Trust, Anatomy and Privacy

Privacy protection is becoming an increasing concern, both from social and legal perspective. Is a compromise, since avoiding name-binding, complicates trust establishment.

6. Standardized Approach

The solution should has the capability to be integrated with other systems, using existing accepted standards.


76


7. Browser Based

Nobody wants to install client side applications

8. Technologies issues

Cookies and JavaScript are been used. Nevertheless, they have been proved to be a security problem, even though, they are better than the other options


77

Federated IdentityIdeal Scheme

1. Request page

2. Auto redirect

3. Redirect


5. Login

6. Redirect w/tickets in header


8. Set ticket


78

Federated IdentityExamples

MSN Passport Developed by Microsoft

Kerberos Developed by MIT

X.509 Network Working Group Certificate Management Protocol

RBAC Research Proposal


79

Federated IdentityMSN Passport

1. Request page

2. Auto redirect

3. Redirect


5. Login & passport

6. Redirect w/tokens in header


8. Set cookie


80


Centralized Model Credentials and no Tickets Used to authenticate users of Hotmail and

MSN Messenger. Other users include Zurich, GMAC

The biggest Federated Identity system is Passport, from Microsoft


81


Process 3.5 billion authentications each month Uses XML as the core Uses SSL The Passport requires triple DES keys with

each organization. The keys must be generated securely, and

given to the merchants out of band. Some keys were broken because the poor

randomness of the keys generated


82

Federated IdentityMSN Passport - Problems

Centralized point of attack, against the distributed nature of Internet. Vulnerable to DoS attacks

Due to the cookies architecture, a Service can impersonate MSN Passport and delete all the cookies in the clients (used to DoS attacks).

JavaScript and cookies technologies have been proved to be insecure technologies.


83

Federated IdentityMSN Passport - Problems

Bugs have a great Impact MSN found problems many times, bringing down

all services depending on Passport One example was a failure on the Password

resetting mechanism


84

Federated IdentityKerberos

1. Request page

2. Auto redirect

3. Redirect


5. Login



8. Set ticket

Symmetric


85

Federated IdentityKerberos

Developed by MIT’s project Athena Allow mutual authentication and secure

communications over the network Uses symmetric key encryption, and

authentication credentials Authentication credentials are based on

identity, and are suited for access control lists. Main problem for Identity Management are centralization, and name biding.


86

Federated IdentityKerberos - Problems

Kerberos is Identity Based, which gives problems for scalability. Key concept: avoid name-binding

Suitable for access roles. Nevertheless, symmetric keys are not suited for Federations and Distributed Identity Management


87

Federated IdentityX.509

1. Request page

2. Auto redirect

3. Redirect


5. Login


7. Request pagew/access privileges

8. Set privileges

3. Redirect

Asymmetric


88

Federated IdentityX.509

X.509 is a Certificate Scheme for Authentication

Based on Public Key Infrastructure (PKI) The Access Control Credential is called

Attribute Certificate Asymmetric authentication Integrated approach of Authentication and

Authorization


89

Federated IdentityX.509 Problems

Integrated approach of Authentication and Authorization, which is, not good in all contexts.

This is because not all the system-specific capabilities may be know in advance.

Access control credentials is not sufficient to meet effective Access Control requirements. Key concept: Not Scalable


90

IdentityRole-Based Access Control (RBAC)

Current Enterprise solutions employ a combination of physical security, passwords, and Role-based Access Control to ensure the identity of a user

Physical security and passwords protect the system from intrusion.

Role-based Access Control limits access to documents and data based on a “need to know” basis


91

IdentityRole-Based Access Control (RBAC)

Access rules are established with sets of access pairs which associate users and their corresponding permissions:

(user, permissions)

While RBAC is supported by many specific application packages (Oracle and Sybase, for example), the method will be described with a brief look at XML


92

Federated IdentityXML Public Protocols

SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations

can be compatible Web Services: Suited to work on browser

environments Federations: Can simplify Federation usability


93

Federated IdentityXML-Based Doc Security

X-Sec [5] is one notional XML-Based control system with the following component:

Credential-types (ct) – defined user type definitions Example: manager, customer, carrier (nct, Pct) where n is the name of the credential and P is

the set of property specifications for the ct.

XML credential-type and corresponding graph representation [5]


94

XML-Based Doc Security

X-Sec Components (cont) Credential – an instantiation of a credential-type

Specifies the set of properties values characterizing a given subject against the credential-type itself

Physical credentials are certified by the credential issuer

XML credential and corresponding graph representation [5]


95


X-Sec Components (cont) Security Policy Base Template – Specifies

credential-based security policies based on enterprise protection requirements Documents to which the policy applies Portions of documents within target documents Access Modes Propagation mode for the policy


96


X-Sec Components (cont) Security Policy Base Instantiation Example (below)

Secretaries in sales can access and modify all purchase order documents

UPS employees can access information about the customer, carrier, and order id.


97

XML-Based Doc SecurityAssessment

PRO:

Highly available in commercial products

Easy to set up

Training is readily available

Highly effective in a CLOSED and TRUSTED environment

CON:

Often difficult to REMOVE users

Impractical in an open user environment

Not a long-term Internet solution

Passwords can be stolen, resulting in unauthorized access

Periodic password changes make remembering passwords difficult

Left to their own devices, people tend to choose passwords that are easy to guess


98

Biometrics

DEFINITION Any and all of a variety of identification techniques which

are based on some physical, or behavioral characteristics of the individual contrasted with the larger population. Unique digital identifiers are created from the measurement of this characteristic.

Physiological Biometrics Fingerprints, hand and/or finger geometry, eye (retina or iris),

face, and wrist (vein)

Behavioral Biometrics Voice, signature, typing behavior, and pointing


99

Biometrics

OVERVIEW User digital template is created during an

“enrollment period” and stored in a database On attempted verification, the relevant template

is extracted, compared with the data input ATM card is still required to point at the correct

digital template Verification is based on statistical techniques of

comparison between the two


100

Biometrics

Some devices to use Biometrics


101

Benchmarks

The eight points can be used to measure if an Identity Management Protocol is suited for scalability and Federated use.

Browser features can be used as a metric: Use of cookies, use of JavaScript, use of XML


102

BiometricsBenchmarks

BENCHMARKS for Biometrics Template size Speed of enrollment False Accept Rate False Reject Rate


103

BiometricsBenchmarks

PRO When it works, it works best

Generally acceptable in controlled group settings

ASSESSMENT

CON Bad user perceptions

May be misused

May harm eyes

Input quality degrades with age

Unacceptable False Reject Rates

17% - facial

10% - finger swipe


104

Conclusions

Identity is a key issue on Next Generation Internet

Any new or already proposed scheme for Identity Management should address the eight points exposed at least

All the Identity Management should work with a Browser in the client side


105

Conclusions (cont)

Identity Management paradigms that ensure “you are you,” as opposed to “you are who you say you are” are absolutely critical to the future of e-commerce and electronic information sharing

Federal Identity can only be successful if the services are decentralized

Not an easy task


106

Conclusions (cont)

Access control systems will continue to provide enterprise solutions for controlled areas for the foreseeable future

Biometrics appears to be the only real solution on the horizon, but it is not yet reliable enough for use in the general world population.

Identity A desiderata for the Next Generation Internet

Documents

Transcript of Identity A desiderata for the Next Generation Internet