Adam LewisOffice of the CTO

Mike KorusOffice of the CTO

IDENTITY 101

3

IDENTIFICATION

WHO ARE YOU?

AUTHENTICATION

CAN YOU PROVE IT? WHAT DEGREE OF ASSURANCE?

AUTHORIZATION

OK, I BELIEVE YOU. I GET TO DECIDE WHAT YOU GET TO DO OR NOT.

4

IDENTITY 1.0AND WHY IT DOESN’T WORK ANYMORE

Identity Today: Application SILOS

5

APPLICATION 1 APPLICATION 2

IDENTITY = ALICE.SMITH

PASSWORD = 2DAQREF4ERQL

PASSWORD CHANGE MANAGEMENT = 30 DAYS

Application / Service Provider Application logic

APPLICATION 3

IDENTITY = Alice-22

Password = ABC123PASSWORD CHANGE MANAGEMENT = NEVER

Application / Service Provider Application logic

IDENTITY = ALICE PASSWORD = ABC123

PASSWORD CHANGE MANAGEMENT = 90 DAYS

Application / Service Provider Application logic

Each application = Identity provider, Service provider

Why Identity 1.0 is Broken

6

THE USER THE ADMIN THE DEVELOPER

It gets worse.

Credentials

Users

Mobile.

Cloud.

The Perimeter has Dissolved.

Sharing of Information& Resources.

The Good ol’ Days. Users, their credentials,and the information they accessed wereall within the secure perimeter of the Enterprise.

WHERE WE HAVE BEEN

9

Home AgencyApps

10

REGIONAL APPLICATIONS

HOME AGENCY APPS

11

REAL LIFE IDENTITY… AND WHAT WE CAN LEARN FROM IT

REAL-LIFE IDENTITY

12

BOB

IDENTIFY: “HI, I’M BOB”AUTHENTICATE: “PROVE IT”

1.DMV

“I HAVE AUTHENTICATED YOUHERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU AS WELL AS SOME ATTRIBUTES OF YOU”

2.

REAL-LIFE IDENTITY

STATEBORDERS

IDENTITY 2.0… BUILT FOR A DEPERIMITERIZED WORLD

Identity 2.0

IDENTITY: “I AM OFFICER BOB”AUTHENTICATE: “PROVE IT”

CREDENTIALREPOSITORY

AgencyIdM FUNCTION

1.

BIOMETRIC

***********

PASSWORD SMART CARD

I HAVE AUTHENTICATED YOU, BOB. HERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU …AS WELL AS SOME ATTRIBUTES OF YOU.

2.

Name: Officer BobAgency: Schaumburg Police DepartmentRole: SergeantLanguages: English, Spanish, RussianQualifications: Firearms, CPRContact-mobile: 847-555-1234Contact-email: bob@schaumburgPD.gov

User Authentication: RSA 2-factorSigned by: Village of Schaumburg IdM

Identity 2.0

17

Separation of Identity Provider and Service Provider functionality

Identity 2.0 is the separation of the Identity Provider from the Service Provider

Centralized Credential

Management

Single Sign-On

FederationStrong

Authentication

IDENTITY 2.0

Centralized Credential Management

19

IDENTITY PROVIDER APPLICATION 1

Service Provider Application logic

Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider

APPLICATION 2

Service Provider Application logic

Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider

Identity = Alice Password = abc123

Attribute-1 (e.g. email)Attribute-2 (e.g. phone number)Attribute-3 (e.g. dept. no)

Password change management = 90 days

Password complexity rulesPassword reuse rules

Activate accountSuspend accountDelete account

INTEGRATES WITH AGENCY’S EXISTING IDENTITY MANAGEMENT SYSTEM (E.G. ACTIVE DIRECTORY)

Centralized Credential

Management

Single Sign-On

FederationStrong

Authentication

IDENTITY 2.0

Enter your password

***********

Centralized Credential

Management

Single Sign-On

FederationStrong

Authentication

IDENTITY 2.0

23© 2014 Motorola Solutions, Inc.

IDENTITY FEDERATION

LOCAL POLICE AGENCY REGIONAL OR NATIONWIDE APPLICATIONS & SERVICES

CAD VIDEOPTT

LOCAL AUTHORIZATION CONTROL

Centralized Credential

Management

Single Sign-On

FederationStrong

Authentication

IDENTITY 2.0

• Strong Authentication

Strong Authentication

25

76% of 2012 network intrusions exploited weak or stolen credentials

In 2007, ~30 vendors in authentication. Approximately 12 new vendors have been added per year. Today there are over 100 vendors.

Source: PingIdentity

AT WORK AT HOME

Memorization

One Constant: CHANGE

Re-Use

Avoid Change

The average corporate user maintains 15

passwords within both private and corporate

spheres

• Like the cockroach…

…passwords will outlive us all

• But that does not mean ….

…. we shouldn’t try to exterminate them

STRONG AUTHENTICATION

28

SOMETHING I AMSOMETHING I HAVESOMETHING I KNOW

CJIS REQUIRES STRONG AUTHENTICATION – MSI HAS SOLUTIONS TO MEET THOSE NEEDS TODAY

• The Identity problem– Who are you

– Prove it

– how confident are we in the “proofing”

• Federal Standards defined “how certain”– Level Of Assurance (LoA)

– Defined in M-04-04 (Dec 16, 2003)

• EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF MANAGEMENT AND BUDGETOMB LoA Description

Level 1 Little or no confidence in the asserted identity’s validity.

Level 2 Some confidence in the asserted identity’s validity.

Level 3 High confidence in the asserted identity’s validity.

Level 4 Very high confidence in the asserted identity’s validity.

Centralized Credential

Management

Single Sign-On

FederationStrong

Authentication

IDENTITY 2.0

AROUND THE WORLD IN 80 DAYS… GLOBAL TRENDS IN IDENTITY

UNITED STATES

32

INTERNATIONAL

33

34

CLOSING THOUGHTS… AND THINGS TO REMEMBER

PILLARS OF IDENTITY 2.0

35

WHAT DO YOU GET?

MOBILE FRIENDLY

CLOUDREADY

INDUSTRY DOMINANT

OPEN STANDARDS

CENTRALIZED CREDENTIAL

MANAGEMENT

SINGLESIGNON

FEDERATION:PORTABLE &

INTEROPERABLE

STRONGAUTHENTICATION

36

In a deperimiterized mobile & cloud world, where first responders are accessing information – located anywhere – from anywhere – Identity *IS* the new perimeter

37

July 17, 1996: Emergency services personnel from Suffolk County, NY and the United States Coast Guard respond to a report of a catastrophic explosion and the crash of a passenger airliner over the ocean off the southern coast of Long Island. The initial assumption is a nexus to terrorism. The East Moriches Coast Guard Station is designated as the operations command post, staging area, and evidence collection point. As the incident shifts from response to recovery, personnel from various response disciplines and levels of government stream into the station. Among them is Lieutenant Colonel David Williams of the U.S. Army Reserve. LTC Williams, dressed in his U.S. Army Reserve flight suit, presents identification, enters the site, and assists in the operation by landing helicopters on the designated helipads. On the third day of his work, LTC Williams is questioned concerning his identity and affiliation. Following a brief investigation, LTC Williams is identified as an impostor, escorted from the property, and charged by the Suffolk County Police.

September 11, 2001: When the Pentagon was struck it resulted in a massive response of public safety personnel from fire, EMS, and police. Given the technology used at the time, it was impossible to authenticate and validate emergency responders at a pace necessitated by the disaster. While the majority of emergency responders already had identification cards, their credentials were not recognized at all levels of government or by the various jurisdictions. The incident commanders on site either had to assume that people were who they said they were, or they had to deny or delay access of critical emergency personnel to the crash scene. This same scenario could be applied to any disaster at any secured building in any city or state.

• Single Factor: Choose ONE OFSOMETHING I

AMSOMETHING I

HAVESOMETHING I

KNOW

Strong Authentication

Advanced Authentication

• Multi Factor: Choose TWO OR MORESOMETHING I

AMSOMETHING I

HAVESOMETHING I

KNOW

• User Authentication - FactorsSomething I Know Something I Have Something I Am

Pin Smart badge Brainwave (EEG)

Password/Phrase OTP Token Heart Rhythm (ECG)

Gesture Key Fob (Yubico) Voice

Shape Smartphone/Tablet Fingerprint

Pattern Bio-stamp/Tattoo Finger/hand vein

Wearable Iris scan

Facial scan

NFC Ring

PIVOTP

• 1. REMOTE ACCESS

• CJIS MANDATES STRONG AUTHENTICATION

• 2. PHYSICAL ACCESS

• FRAC CARDS FOR INTEROPERABILITY

• 3. DEVICE ACCESS

• SENSITIVE DATA ON DEVICES & OPEN SESSIONS

Authentication for Public Safety

• Think To Authenticate– Started as “brain fitness”

– Your brainwave is unique

– Focus on a thought

– Some Difficulties• Slow

• Focus

• Very early research

NeuroSky

• Key Stroke to authenticate– Something I know (simplified Password)

– Something I am• Dwell time

• Flight time

– Stops password sharing

• EKG to authenticate– Your EKG is unique

– Not affected by caffeine or exercise• Heart rate, yes

• EKG characteristics, no.

– How many sensors?• Hospital = 12

• Authentication = 2

– Communicates to your device • Bluetooth

• NFC

Bionym

• Smartbadge Tap to authenticate – Uses NFC Technology

• Standard supported by most smartphones

– Federal PIV card standards• Personal Identity Verification card

• FIPS PUB 201-2

– PIV-I/FRAC cards• First Responder Authentication Credential

• Future capability– Smartbadge turns your phone into a badge

– Draft NIST SP 800-157 Card emulation on radio

Tap Smart Card

LOGON

• Continuous authentication– Is it “still you”

– Is it “still you”

– …

– Is it “still you”

Feature extraction &Template creation Database

BE BE’

Database

Matching Function

ID

BA BA’UserBE’

ID

User

Enrollment

Authentication

Feature extraction &Template creation

Decision (Y/N)

Database

Matching FunctionBI BI’User

Identification

Feature extraction

Identity

Sensor

Sensor

Sensor

SubmitBiometric

Verifying Access secret

Verifies

Success =Access secret

Application server: “prove you can lock

this” with secretSubmit factor 1e.g. biometric

biometric never leaves device Challenge/response handshake

Security Cost

UX

• Tiered to needs• Policies• Federation• Secure elements (TEE, uSD…)

• Key for adoption• Unobtrusive/stealthy• Shared Devices (load profiles)

• Leverage commercial Tech• Standards

Security isn’t an afterthought; it’s a stream of consciousness.

– Back to beginning• It ties into identity management

• It’s the “primary authentication”

• What you use at work, can be applied to home

SubmitBiometric

Access secret

Verifies

Success =Access secret

Application server: “prove you can lock

this” with secretSubmit factor 1e.g. biometric

biometric comparison on device or on card

Challenge/response handshake

Verifying

• Assets require “user” access controls?– Records management

– CAD

– CJIS

– Location

– Messaging

– Logging

– PTT services (?)

– …

• Single Factor or Multifactor

• Device or User Authentictaion

• Most of this is standards– Standards

• NIST

• FIDO

• Global Platform

• Technology Enablers• Secure elements (CRYPTR micro)

• TEE

• Wireless tokens/secure elements

• Wearable Biometrics