1

Distributed Data Security for Factory Automation

Alfred C. WeaverProfessor of Computer

ScienceUniversity of Virginia

2

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

3

Data Privacy and Security

Plants

ProcessesDatabases

Desktops

Laptops

PDAs

Cell phones

Global Internet

4

Virtual Factory

5

6

Risks

Access by unauthorized individuals Access denied to authorized

individuals Identity theft and impersonation Authentication techniques of

varying reliability Mobile access devices Viruses and worms

7

Risk Mitigation Requirements

Establish and maintain trust between data requestor and data provider

Techniques must be applicable to both humans and software

Trust decisions must be made without human intervention

8

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

9

10

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

11

Security Architecture

Based upon web services useful functionality exposed on the

WWW provide fundamental, standardized

building blocks to support distributed computing over the internet

applications communicate using XML documents that are computer-readable

12

Why Web Services?

Internet provides a powerful, standardized, ubiquitous infrastructure whose benefits are impossible to ignore provided that access is reliable,

dependable, and authentic World-wide acceptance

preferential way to interconnect applications in a loosely-coupled, language-neutral, platform-independent way

13

Web Services

Built on three primary technologies Simple Object Access Protocol (SOAP)

specifies format and content of messages Web Services Description Language

(WSDL) XML document that describes a set of SOAP

messages and how they are exchanged Universal Description, Discovery, and

Integration (UDDI) searchable "whitepage directory" of web

services

14

SOAP Example<soap:Envelope>xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header>

<!-- security credentials --><s:credentials xmlns:s="urn:examples-org:security">

<username>Alfred Weaver</username><password>jdb5eifgh7a</password>

</s:credentials></soap:Header><soap:Body>

<x:TransferFunds xmlns:x="urn:examples-org:banking">

<from>22-342439</from><to>98-283843</to><amount>100.00</amount>

<denomination>USD</denomination></x:TransferFunds>

</soap:Body></soap:Envelope>

TransferFunds (from, to, amount)

15

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

16

Trust

Who you are

What

you

can

do

Wha

t you

have

Authentication

Pri

vile

ges

Crede

ntia

ls, a

ttrib

utes

{Authentication, Credentials, Privileges}

17

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

18

Authentication

Biometric based upon physical or behavioral

characteristics answers “who are you?”

Digital something you have or know

Two-factor authentication biometric + digital

19

Identification vs. Verification

Identification of all humans, which one are you?

Verification does your biometric (bid sample)

match a previously enrolled biometric template?

20

Physical Biometrics

Fingerprint Iris Retina Hand geometry Finger geometry Face geometry Ear shape

Palm print Smell Thermal face

image Hand vein Fingernail bed DNA

21

Fingerprint Scanners

HP IPAQDigital Persona U.are.U Pro IBM Thinkpad T42

22

False Acceptance/Rejection

False acceptance rate (FAR) incorrectly matches a bid sample to

an enrolled template this is very bad FAR must be very, very low

False rejection rate (FRR) fails to match a legitimate bid sample

to an enrolled template this is an annoyance FRR must be low if technique is to be

used

23

Fingerprints

70 points of differentiation (loops, whirls, deltas, ridges)Even identical twins have differing fingerprint patternsFalse acceptance rate < 0.01%False rejection rate < 1.4%Can distinguish a live fingerFast to enrollInexpensive (~$50-100) for the reader

24

Iris Scans

Iris has 266 degrees of freedomIdentical twins have different iris patternsFalse acceptance rate < 0.01%False rejection rate < 0.01%Does take some time and controlled lighting to enrollPattern is stored as a data template, not a pictureFlash light to detect pupil dilation (prove live eye)

25

Determining a Match

Enrollment produces a template Bid sample produces another template Hamming distance between them is

the degree of difference

011010101111011110000001...011010101100011110000111...

26

Determining a Match

Enrollment produces a template Bid sample produces another template Hamming distance between them is

the degree of difference

011010101111011110000001...011010101100011110000111...

27

Behavioral Biometrics

Signature Voice Keyboard dynamics

Alfred C. Weaver

28

Digital Techniques

PINs and passwords E-tokens Smart cards RFID X.509 certificates

29

eToken

Stores credentials such as passwords, digital signatures and certificates, and private keys

Some can support on-board authentication and digital signing

30

Smart Card

Size of a credit card Microprocessor and memory All data movements encrypted

31

RFID IC with antenna Works with a

variety of transponders

No power supply Supplies identity

information Susceptible to theft

and replay attacks

32

X.509 Certificates

Certificate issued by a trusted Certificate Authority (e.g., VeriSign)

Contains name serial number expiration dates certificate holder’s public key (used for

encrypting/decrypting messages and digital signatures)

digital signature of the Certificate Authority (so recipient knows that the certificate is valid)

Recipient may confirm identity of the sender with the Certificate Authority

33

Authentication Token

<TrustLevelSecToken> <CreatedAt> 2005-09-20T08:30:00.0000000-04:00 </CreatedAt> <ExpiresAt> 2005-09-21T08:30:00.0000000-04:00 </ExpiresAt> <UserID> 385739601 </UserID> <TokenIssuer> http://cs.virginia.edu/TrustSTS.asmx </TokenIssuer> <TrustAuthority> http://cs.virginia.edu/TrustAuthority.asmx </TrustAuthority></TrustLevelSecToken>

34

Authentication Token

<TrustLevelSecToken> <CreatedAt> 2005-09-20T08:30:00.0000000-04:00 </CreatedAt> <ExpiresAt> 2005-09-21T08:30:00.0000000-04:00 </ExpiresAt> <UserID> 385739601 </UserID> <TrustLevel> Fingerprint </TrustLevel> <AuthenticationMethod> Digital Persona U.are.U </AuthenticationMethod> <TokenIssuer> http://cs.virginia.edu/TrustSTS.asmx </TokenIssuer> <TrustAuthority> http://cs.virginia.edu/TrustAuthority.asmx </TrustAuthority></TrustLevelSecToken>

35

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

36

Security Assertion Markup Language (SAML)

Applications require interoperable security solutions that transcend the boundaries of single security domains

Interoperable exchange of security information is essential to enable web single sign-on distributed authorization services securing electronic transactions

SAML addresses these issues

37

SAML Assertions

An assertion is a declaration of facts about a subject

SAML has three kinds, all related to security:

authentication attribute authorization decision

38

SAML Conceptual Model

SAML

AuthenticationAssertion

AttributeAssertion

AuthorizationDecisionAssertion

AuthenticationAuthority

AttributeAuthority

Policy DecisionPoint

Policy EnforcementPoint

Policy Policy Policy

Credentials Collector

System Entity

Application Request

39

Authentication Assertion

An issuing authority asserts that subject S was authenticated by means M at time T

Example subject “Alfred C. Weaver” was authenticated by “password” at time “2005-09-18T10:02:00Z”

40

Example Authentication Assertion

<saml:Assertion> AssertionID=“128.9.167.32.12345678” Issuer=“Robotics Corporation” IssueInstant=“2005-09-19T10:02:00Z”> <saml:Conditions NotBefore=“2005-09-19T10:02:00Z” NotAfter=“2005-09-23T10:02:00Z” /> <saml:AuthenticationStatement> AuthenticationMethod=“password” AuthenticationInstant=“2005-09-18T10:02:00Z”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> </saml:AuthenticationStatement></saml:Assertion>

41

Attribute Assertion

An issuing authority asserts that subject S is associated with attributes 1, 2, 3… with attribute values a, b, c...

Example: “Alfred C. Weaver” in domain

“robotics.com” is associated with attribute “Position” with value “Plant Manager”

42

Example Attribute Assertion

<saml:Assertion …> <saml:Conditions …/> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> <saml:Attribute AttributeName=“Position” AttributeNamespace=“http://robotics.com”> <saml:AttributeValue> Plant Manager

</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement></saml:Assertion>

43

Authorization Decision Assertion

An issuing authority decides whether to grant the request: by subject S for access type A to resource R given evidence E

The subject could be a human or software

The resource is any object data, web page, web service, etc.

44

Example Authorization Decision Assertion

<saml:Assertion …> <saml:Conditions …/> <saml:AuthorizationStatement>

Decision=“Permit” Resource=“http://www.robotics.com/production.html”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> </saml:AuthorizationStatement></saml:Assertion>

45

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

46

Federation

Web services single sign-on How can identity, once legitimately

established in one trust domain, be reliably and securely shared with another trust domain?

How does authentication transfer? What are you authorized to do in a

different trust domain?

47

Federated ATM Network

Account Numberand PIN

Home Bank Network

Visiting Bank Network

Funds Network of Trust

48

Yes

Administrative Decision

Admin

Get identityGet identitytokentoken 11

Requestor

IP/STS

Administrator decides on per request basis

22

33

Resource

49

Basic FederationDirect Trust Token Exchange

TrustTrust

Get identityGet identitytokentoken

Get accessGet accesstokentoken11

33

22

IP/STS IP/STS

Requestor

Resource

50

Indirect Trust

Trust

TrustTrust

Trust

C trusts B which vouches for A who vouches for client

11

33

CC

BB

AA

IP/STS

IP/STS

IP/STS

Requestor Resource

22

51

System Design

52

Outline

Motivation for data security Proposed security architecture

Web services Trust Authentication Authorization Federation

Research issues

53

Research Challenges

Authentication tokens SAML permits enumeration, but not

substitution, of acceptable tokens Trustworthiness varies even within a

technology, but SAML does not capture this distinction

Our TrustLevel concept is just a beginning; trust is more complicated than a number

54

Research Challenges

Authorization rules Human organizations are complex,

and so are their rules Role delegation Human/computer interface

55

Research Challenges

Federation Currently an infant science Many issues surround trust

management establishment representation exchange enforcement storage negotiation

56

Research Challenges

Tools and techniques how to specify access policies locate policy inconsistencies human/computer interface

Formalisms need formal methods to structure our

thoughts, processes and implementations

need proofs of correctness