© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialUser-centric Identity 1 Hank...

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialUser-centric Identity 1

User-centric Identity

Hank Mauldin

CE Meeting - February 26, 2008

Cisco Systems

Diagram by Francis Shanahan


•This discussion represents the work done to date for a white paper on User-Centric Identity.

•Proposed a 1 year research project - 3 months into studyExplore a different area and new technologies in identity

No preconceived ideas or theories

Are there real solutions here?

Discover what are the advantages and disadvantages

Ultimately what is the impact on Cisco?

Can Cisco leverage these technologies?

•Discussing promising technologies/protocols

EDCS-647257 - first draft available


Agenda

• Introduction

• Historical Perspective on IdentityCentralized Approach

Distributed Approach with Federation

User-centric Approach

• TechnologiesXRI

OpenID

OAuth

EV SSL Certificates

Information Cards

• Do these technologies address user’s problems

• Impact on Cisco


YOU

• Book club• Family

Cor

eCom

mun

ities

of In

tere

stOnline shopping

Social

Networks

Personal

Finance

Virtual

Spaces

• eCommerce (e.g. Amazon, eBay)• Social Networking (e.g. LinkedIn)

• Book club• Family

• Professional networks• Dating networks

• Second Life• Croquet• WOW• SharePoint

Users have ‘zillions’ of digital identities…

YouTube

open socialMySpace

FacebookLinkedin

eBay

Amazonnewegg

Audible

Second Life

Croquet

WOW

Source Forge

flickr

del.ici.ous

AOL

wikipedia

Google

Yahoo

MSN

brokerage

bank account

car loan

paypal

mortgage / rent

401k

VISA


Common Issues for Users• Credential Management

Too many login ids and password combinations to remember or worse they are all the same

Using lowest strength credentials (passwords) for high value transactions

• Ease of Use

Remembering which credentials to use with a site

Filling in the same information for registration forms at different sites

• User Concern over personal informationConcern about the information collected by sites and what happens to the data after collection

Protection from impersonation and identity theft

• PhishingHow does a user really know they are at the site they think they are?

• Issue over vetting process of user’s identityUser proves identity by ownership of email address


Terms

Identity Provider

Relying Party

User(Principal)

•User: an actor requesting access to the network or an application within the network.

•Service Provider (SP): From a principal’s perspective, a service provider is providing services and/or goods, typically through a website.

•Identity Provider (IdP): A special service provider that manages identity information on behalf of principals and provides assertions of the principals authentication to other providers.

•Relying Party (RP): A special service provider that is the recipient of a message that relies on a request message and associated assertions to determine whether to provide a requested service.

MyOpenIDVersign

AOL

eBayAmazon

FaceBookFlickr


Relationship between entities

Trust is the foundation of any security model. Trust is the expression between entities that one entity will believe statements (claims) made by another entity; it is based on evidence – history, experience, contracts, etc. – and risk tolerance.

Identity Provider

Relying Party

User(Principal)

Authenticates

TrustsUses services


Basic Use Case

Identity Provider

1

2

3

4

Relying Party

User(Principal)

1. User tries to access protected resource2. User needs to be authenticated - browser

redirected to Identity Provider3. User is authenticated by Identity Provider4. Authentication assertion sent to Relying

Party


Concept of user-centric identity

•User in the middle of transaction

•User has a consistent user experience

•User is in control of their personal attributes

Identity Provider

Relying Party

User(Principal)


Historical Perspective



Timeline

2000 2001 2002 2003 2004 2005 2006 2007

Liberty “Phase 1”

Liberty ID-FF 1.1

Liberty ID-FF 1.2

SAML 1.0 SAML 1.1 SAML 2.0

Shibboleth 1.0/1.1

Shibboleth 1.2

Shibboleth 1.3

WS-* Specifications (WS-Federation)

CardSpace

Higgins

sxip

LID

OpenID 1.0OpenID 2.0

Microsoft .Net Passport Windows Live ID

XRI i-names

Distributed Approacheswith Federation

Information Cards

URL-based

Centralized Approach

User-centric Approaches

XRI-based


User-centric approaches

•URL-based LID

sxip

OpenID

•XRI-basedi-names

• Information CardsCardSpace

Higgins

Bandit project

Higgins


•Open, decentralized, free framework

•Can transform an existing URI from one’s blog, profile page, etc. to be an identifier

• IdP discovery is built into the URI

•Authentication scheme provides a way to prove that a principal owns an Identity URL without passing around their password or email address.

• Light-weight default trust model

•Ease of integration into scripted web platforms

OpenID 2.0


•i-names are called unified digital addressesHuman readable (i-numbers are machine readable)

•Provides an address one can keep for life

i-names (XRI)

Permission-basedResolution

Privacy Barrier

EmailAddresses

PostalAddresses

CurrentLocation

FaxNumbers

PhoneNumbers

Any attribute referenced by a URI or encoded in XML

An i-name is a new “superaddress” that gives its owner complete control over its use


Information Cards• CardSpace

Central feature is the identity selector - allows one to pick a credential visually represented as a card to send to an RP

Token-based system

Two types of cards supported:

Personal cards - self issued

Managed cards - provided by identity providers

Separation of authentication and storage of personal information

Microsoft has released all their associated IP

• HigginsProvides a software infrastructure to support all the popular digital identity protocols

Extends types of cards - r-cards, z-cards, & s-cards

Selectors available for Windows, Linux and Mac OS X

• Bandit Currently providing a CardSpace compatible card selector for Linux and Mac OS X based on the Higgins card selector


Summary of Identity Spaces

Credit for this Venn Diagram goes to Paul Madsen and Johannes Ernst


OSIS (Open Source Identity System)

Identityin 2007

URL-based(grassroots, opensource, blogging)

URL-based(grassroots, opensource, blogging)

SAML-based(Liberty Alliance

companies)

SAML-based(Liberty Alliance

companies)

WS-*-based(MicrosoftVista)

WS-*-based(MicrosoftVista)

OSIS Agreement“historic development” (ZDNet)

Identifier-basedparadigm

Card-basedparadigm

Invisibleto the user

• Microsoft• IBM• Verisign• Red Hat• Novell• Cordance• Higgins• Shibboleth• Sxip• Sun• NetMesh

• Microsoft• IBM• Verisign• Red Hat• Novell• Cordance• Higgins• Shibboleth• Sxip• Sun• NetMesh

OSIS started to bring together identity-related projects in order to synchronize and harmonize the construction of an interoperable identity layer for the Internet.


Technologies



•XRI

•OpenID

•OAuth

•EV SSL Certificates

•CardSpace

•Higgins


XRI (Extensible Resource Identifier)

•XRIs can identify people, organizations, concepts, applications, devices, digital objects or anything else

•XRI builds on the IRI (International Resource Identifier, RFC 3987) by extending the syntax

•XRI start with “xri://” followed an authority segment and a path portion (if any)

xri://broadview.library.example.com/(urn:isbn:0-395-36341-1)

•The idea is that web addresses evolve from URLs to XRIs

•Foundational technology for XDI (XRI Data Interchange), the Higgins project and useful for OpenID


XRI Characteristics• XRIs come in pairs

i-name which is human readable and changeable

i-number which is permanent (links use the i-number)

• Adds a layer of indirection on top of DNS- and IP-based URLs to enable better control over their persistent identity

• This indirection allows semantic mapping for sharing of identifiers across domains

• Reserved global context symbols:+ , for general dictionary tags like +blog, +salmon, +love

$, for special dictionary tags like $d (date), $v (version)

=, for a personal persistent address like =hank.mauldin

@, for an organization like @example.company

• When using global context symbols, one does not need to use a protocol prefix (xri://)


Extended Validation SSL Certificates

• Phishing scams are a big issue

• Answer needs to address two issues1. Provide a method that ensures users know the true owner of

a website

2. Provide a browser interface that makes it easy to see the identity when its known and recognize when it isn’t

• Proposed Answer is a new category of SSL certificate with an issuing process that helps ensure the entity is who it claims to be, and browser modifications


EV Certificate Guidelines

•CA/Browser Forum consisting of CAs, Internet browser vendors and American Bar Assoc. released version 1.0 of EV Certificate Guidelines for a new EV certificate.

•Uses existing SSL certificate format, but provides a strictly enforced issuance policy with revocation measures.

•The issuers must:Verify the legal, physical and operational existence of identity

Verify the identity of entity matches official records

Verify the entity has exclusive rights to use domain specified in certificate

Verify the entity has properly authorized the issuance of the EV certificate


EV Browser Modifications

•When a browser visits a site secured with a EV certificate, the address bar will turn green and display the name of the organization listed in the certificate as well as the issuing CA.

• If on a bogus site, the address bar will not display green

•The security status bar shows the transaction was encrypted and the organization has been authenticated

•Microsoft IE 7 is first browser to meet the new standard

•FireFox browsers have a plug-in available


Example of Address & Security Bar


Thoughts on EV SSL Certs

• Appears to be a step in the right direction

• One concern is the cost of the new certificate

• New CA vendors dependent on browser vendors

• It seems to be a couple of years away for wide spread use, but some companies (eBay and PayPal) are already using these certs.

Current Cost

(One year)

One Year Two Year

Verisign $399 $1,499 $2,695

Twawte $899 $1,495

Digicert $99 $495 $795


OpenID 2.0

•Fastest growing user-centric identity system

• Because AOL (63 million users) and Yahoo (248 million users) provided all their users with OpenIDs automatically

•Specifically addresses web single sign-on (SSO) use cases

•Replace the self generated usernames & passwords with a single login credential

•Provides simple attribute exchange

•Only requires an unmodified browser

• Light-weight protocols and easy for RPs to implement


OpenID Protocol Drilldown

Identity Provider(IdP)

Relying Party(RP)

Client

User

http://openid.aol.com/screenname=hank.mauldin

1 User wants to access their LiveJournal blog

2 Redirected to myOpenID.com

3

Authentication

4 Redirected back to LiveJournal account http://mosby.myopenid.com


OpenID Concerns

•No real trust framework

•Basic principle between IdP and RP is to TRUST

•Advantage: IdPs and RPs can work together without prior relationships

•Neutral: only good for low value transactions such as blog or wiki comments

•Concern: OpenID potentially makes the Phishing problem worst

A person can put up a great site that takes OpenID and phish the Identity Providers site to harvest the user’s credentials


OpenID Concerns (continued)

•Concern: User has one unique identifier and so a IdP can track all the websites a user logs into.

Cross site profiling would be easy

Privacy issue for users

Cannot be used for delegation of authority (instead using OAuth)

•Neutral: If person uses a domain-name URL as their OpenID, they must be careful not to lose the domain name (expires, and not renewed)

•Neutral: Unclear what the business case is for the smaller IdPs (OpenID Providers)

Giving away free OpenIDs


Thoughts on OpenID

•Top 4 issues the OpenID community wants to fixSolve the Phishing issue

Make the UI experience a little less geeky (typing in URLs)

Single Sign-out

Optimize performance

•My belief is they will move towards using a combination of EV SSL certificates and Information Cards to solve the first issue above

•Microsoft, IBM, Google, Yahoo and Verisign have joined the OpenID Foundation Board - announced February 2008


OAuth

•OAuth Core version 1.0 is released

•Offers secure delegation of authority

•Complements rather than replaces authenticationExtends the usefulness of OpenID

•Brings together in one standardized way delegation of authority by many of the major well established security protocols

Google AuthSub

AOL OpenAuth

Yahoo BBAuth

Upcoming API

Flickr API

Amazon Web Services API


Information Cards

•Microsoft Identity MetasystemCardSpace

•Higgins projectBandit

Higgins


Seven Laws of Identity

•Kim Cameron (Microsoft) developed the 7 laws which shaped the design of the Identity Metasystem

•The Seven Laws are:User Control and Consent - only reveal information with user’s consent

Minimal Disclosure - release least amount of information and limit its use

Justifiable Parties - limit to entities that are necessary in identity relationship

Directed Identity - protect against correlation across services

Pluralism of Operators - enable multiple technologies and identity providers

Human Integration - integrated into system and protect against id attacks

Consistent Experience - provide simple, consistent experience across different contexts


Identity Metasystem Concepts

• Digital Identity: A set of claims in a security token provided by (and about) a user

• Roles in the identity meta-system:

User (subject)

Identity Provider

Relying Party

• Protocol:

User goes to site for a resource

User is asked for identity (and required claims) from RP

User chooses an identity provider

Identity provider gives user a security token (meeting required claims)

User passes the token to the RP


WS-Trust, WS-Trust, WS-MetadataExchange, WS-SecurityWS-MetadataExchange, WS-Security

SubjectSubject

KerberosKerberos

IdentityProvider

(Token Capabilities)

WS-SecurityPolicy

STS

SAMLSAML

RelyingParty

(Token Requirements)

WS-SecurityPolic

y

X.509,X.509,Kerberos,Kerberos,CustomCustom

RelyingParty

(Token Requirements)

WS-SecurityPolic

y

Identity Selector

X.509X.509

IdentityProvider

(Token Capabilities)

WS-SecurityPolicy

STS

WS-* MetaSystem Architecture


Identity Provider(IdP)

Relying Party(RP)

ClientClient wants to access a resource

RP provides identity requirements

1

2

User

3 Which IdPs can satisfy requirements?

User selects an IdP4

5Request security token (authentication required e.g. X509, Kerberos, username/pwd,

self-issued token)

6

Return security token based on RP’s requirements (any format) – and optional signed display token

7 User approves release of token

8 Token released to RP (RP reads token and allows access)

Windows CardSpace

CardSpace Protocol Drilldown


CardSpace Card Selector


CardSpace Cards

• Contains claims about my identity that I assert

• Fixed set of claims

• Not corroborated

• Card and data stored locally

• Signed and encrypted to prevent replay attacks

• Presented by user during account sign-up

• Created and signed by IdPs, such as banks, stores, government, clubs, etc.

• Provisions .CRD file via email, website, group policy etc. which user installs

• Locally stored cards contain metadata only (not values)

• Data stored at Identity Provider and obtained only when card submitted (from STS)

Self-Issued Card Managed Cards


• CardSpace Environment (secure shell)

Runs under separate desktop and restricted account

Isolates CardSpace runtime from Windows desktop – no programmatic access

• All data encrypted (inc. memory) until use

• All parties strongly identified

• Privacy

RP can be hidden from IdP

Signing key for self-issued token varies for each RP

User controls release of information

Cards can be protected with a PIN

• Parties must identify themselves via Trust Dialog

Verifies provided certificate for all parties that interact with user

RP: Appears on first visit, IdP: when user imports card

CardSpace Security


• Advantages:• Replace login ids & passwords with cryptographically strong tokens containing identity claims• Consistent login and registration• Centers around a simple to use Identity Selector

Digital identities represented by cards• Multi-factor authentication• Helps avoid phishing • Users in control

• Disadvantage:• Not a single sign-in solution

• Concerns:• Identity portability• Revocation

Thoughts on CardSpace


Higgins Project

•Higgins provides the same user experience as CardSpace

• It functions with the same card metaphor, but extends the types of cards

•However, Higgins is a framework to provide interoperability between different identity systems

An abstraction layer for identity and social networking services

•Allows plug-ins from different contexts


Higgins Framework

Identity Attribute Service (IdAS)

Application Programming Interface (API)

Context Provider Interface (CPI)

STS

Identity Selector Service (ISS)

Higgins BrowserExtension (HBX)

Relying Party Policy/Tags

End User Applications

Interoperability Framework

Information Card Selector

Plug-ins

Context Data Sources: LDAP AD Files Directories Social Networks Databases

Web Services Eclipse Rich Client Platforms Browser extensions

Plug-insPlug-ins

CardSpace OpenID SAML Context Providers


Identity Attribute Service (IdAS)

•Aggregate and federate identity information

•Uses the Higgins Data ModelRepresents an identity and its attributes in a context

•The plug-ins enable the IdAS to read and data from the contexts and map the data to the Higgins Data model

•Each context can may have its own ontology defined using higgins.owl


45

Interoperability

• Requirements for interoperabilityCommon data model

API abstraction/framework

Schema mapping

#1 addressed by Higgins

#2 can be addressed using the Higgins Identity Attribute Service (aka IdAS)

#3 addressed by industry collaborations within Identity Commons and other groups


Digital Subjects and their attributes

•Digital Subjects are representations of entities (e.g. real world people, groups, organizations, etc.)

•Digital Subjects are sets of identity, profile and relationship attributes

Digital Subject

“Normal” attributes (e.g. String, number, boolean, etc.)

= Digital Subject that represent entity #1 (e.g. you)

Relation attribute

Correlation attribute (a specialization of relation)

A profile

= Digital Subject that represents some entity other than #1 (e.g. someone other than you)


i-cards•Store credentials, profiles, personal data, and social

networks –not just for sign-in!

•New types of i-cards definedr-cards (relationship cards)

data partially owned by both entities

s-cards (SAML cards)

for interoperability with SAML 2.0

z-cards (zero-knowledge cards)

selectively disclosure of claims

zero-knowledge proofs

sole authority over claim values

IBM to deliver based on their idemix technology

Hank Mauldin

Personal i-card

Hank Mauldin


Bandit Card Selector showing claims


49

•Higgins 1.0 Development done by 12/31Supports the self-issued and managed cards

•Ongoing series of multi-company (Microsoft, etc.) interoperability events for the past year and ongoing

• IBM and Novell have announced they will ship Higgins based products

•Parity is offering to host Higgins based services

Higgins software project status


Thoughts on Higgins

• In general, I believe the card metaphor will succeed in the market place

•Higgins has already shown it can interoperate with CardSpace

•Several influential vendors (IBM, Novell) are committed to delivering Higgins implementations

•A large challenge to meet their goals for the framework, especially around the data model and schemas


Do these technologies address user issues?



Credential Management

•Both OpenID and Information Cards provide a solution to the issue of too many passwords to remember

•Both help with registration at web sites rather than just form filling

•OpenID provides SSO, but uses a single identifier

• Information Cards do not provide SSO, but provides better privacy by using a different personal id per site


Ease of Use

•OpenID requires a user to type in an URICommon complaint is that is a little geeky

Current browsers do not store URI as they do usernames

My belief is OpenID community will move towards using information card as optional front-end in certain situations

• Information Cards provide a metaphor that most people grasp instantly

Seems to me to be useful on the mobile devices (smartphones)

Importing the managed cards is not as simple as it could be

Recovery from PC crash or loss not well defined (problem similar to losing one’s wallet)


User Control over their personal info

•OpenID with attribute exchange supports user control

•OpenID with delegation can only give “full delegation” so can not provide only certain services - a security risk

•OAuth is being used due to this restriction in OpenID

• Information Cards allow user to review, edit and decide which claims to release prior to being sent

Does keep track of which attributes have been sent to a site, so user has a record of which attributes have been released to which relying parties


Phishing

•OpenID has a perceived problem with phishingSome discussion about using Information Cards to authenticate at IdP to help avoid phishing

• Information Cards are phishing resistentSelector keeps track of which card has been used at a site

User receives a visual indication when not a proper site

•EV SSL certificates helps with this problem when widely deployed and browsers updated


Vetting of Users

•Not really a technical issue, but is becoming a legal issue due to identity theft and an organizational issue

Banks are being sued by their clients for identity fraud

New employees already have “identities” and may want to use those versus getting a new company identity.

• I believe an individual’s reputation is becoming one of the most valuable assets; therefore protecting one’s own reputation from abuse by others will become an important issue


What impact on Cisco?



Cisco can be a player

Cisco is moving up the stack

across the stack

Infrastructure changes to occur


CMSG

•There is a web portal project that front-ends a media solution

Using OpenID as user authentication method

User’s login id is transformed to URL and sent to back-end OpenID provider service

It is a closed system, and not accepting other OpenID users

Use of OpenID is invisible to user

•Moving into social networking (Eos) that is consumer facing, Cisco will need to make choices about authentication methods as we have been discussing


Linksys

•Have been in discussions regarding a Linksys portal that is consumer facing (loosely coupled with Connected Home)

Provides access to content in “cloud”

Provide access to home network

•Discussion of identity in home network for devices and users

•Need to be aware trends in consumer authentication space


Service Node project

•Developing a media content delivery system using peer-to-peer technology

•There is again a consumer facing portal

•Had a brief discussion regarding more advanced future solutions around social networking

Interested in learning about user-centric systems


Enterprise

•Many enterprises have consumer facing web sitesUse of EV SSL certificates recommended

Can see value in relationship i-cards for customers

•Some IdM vendors have announced support for OpenID and CardSpace

•Sun employees use OpenIDs

• In the future for internal employees, managed information cards could replace username and passwords - pin protected of course

No longer reset of passwords or change every 6 months

•Federation between partners still satisfied by SAML or WS-* solutions


Yankee Group released a Report on OpenID and Enterprises

• “OpenID is a disuptive technology that allows web sites to share identity information and streamline authentication processes. Enterprises with a significant online presence can increase contact with their customers by adopting OpenID.”

By Andrew Jaquith, Program Manager at Yankee Group

•By 2010, Yankee Group expects that a differentiated, stratified ecosystem of OpenID-Plus identity providers will emerge to make OpenID useful enough for businesses to adopt en masse.


Actions Moving Forward

• Become more involved with Higgins Project

Cost - $150k/year to be on board and set direction

$30k/year to suggest new work groups

$5k/year to participate as a member

Join as a member at the $5k level

• Create a cross functional team to work with Higgins

• Cisco should consider using EV SSL certificates for CCO

• Consider using SAML 2.0 assertions as the encapsulation for moving identity claims around

• Investigate the gap between network and application identities


Next Steps

• Continue discussion with known internal groups

• Do deeper dives into OpenID, CardSpace and HigginsSet up IdP, and RPs for the different systems in lab

Get some practical experience with the systems

Provide recommendations

• Look at how Cisco might work with IdM vendors to find a way to leverage the network authentications and posture information with application spaceSolution requires Cisco to be retaining state for authentications

(Some work is going on here by Vinnie Gupta, SA and Brian Ford, CE)

3 possible approaches:

1. Create an API (no standard exists)

2. Develop an Higgins plug-in

3. Virtual directory

• Complete the research and white paper



Discussion

Date post:	11-Jan-2016
Category:	Documents
Upload:	rolf-fisher
View:	213 times
Download:	0 times

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialUser-centric Identity 1 Hank...

Documents