56
1 Distributed Data Security for Factory Automation Alfred C. Weaver Professor of Computer Science University of Virginia
1
Distributed Data Security for Factory Automation
Alfred C. WeaverProfessor of Computer
ScienceUniversity of Virginia
2
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
3
Data Privacy and Security
Plants
ProcessesDatabases
Desktops
Laptops
PDAs
Cell phones
Global Internet
4
Virtual Factory
5
6
Risks
Access by unauthorized individuals Access denied to authorized
individuals Identity theft and impersonation Authentication techniques of
varying reliability Mobile access devices Viruses and worms
7
Risk Mitigation Requirements
Establish and maintain trust between data requestor and data provider
Techniques must be applicable to both humans and software
Trust decisions must be made without human intervention
8
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
9
10
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
11
Security Architecture
Based upon web services useful functionality exposed on the
WWW provide fundamental, standardized
building blocks to support distributed computing over the internet
applications communicate using XML documents that are computer-readable
12
Why Web Services?
Internet provides a powerful, standardized, ubiquitous infrastructure whose benefits are impossible to ignore provided that access is reliable,
dependable, and authentic World-wide acceptance
preferential way to interconnect applications in a loosely-coupled, language-neutral, platform-independent way
13
Web Services
Built on three primary technologies Simple Object Access Protocol (SOAP)
specifies format and content of messages Web Services Description Language
(WSDL) XML document that describes a set of SOAP
messages and how they are exchanged Universal Description, Discovery, and
Integration (UDDI) searchable "whitepage directory" of web
services
14
SOAP Example<soap:Envelope>xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header>
<!-- security credentials --><s:credentials xmlns:s="urn:examples-org:security">
<username>Alfred Weaver</username><password>jdb5eifgh7a</password>
</s:credentials></soap:Header><soap:Body>
<x:TransferFunds xmlns:x="urn:examples-org:banking">
<from>22-342439</from><to>98-283843</to><amount>100.00</amount>
<denomination>USD</denomination></x:TransferFunds>
</soap:Body></soap:Envelope>
TransferFunds (from, to, amount)
15
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
16
Trust
Who you are
What
you
can
do
Wha
t you
have
Authentication
Pri
vile
ges
Crede
ntia
ls, a
ttrib
utes
{Authentication, Credentials, Privileges}
17
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
18
Authentication
Biometric based upon physical or behavioral
characteristics answers “who are you?”
Digital something you have or know
Two-factor authentication biometric + digital
19
Identification vs. Verification
Identification of all humans, which one are you?
Verification does your biometric (bid sample)
match a previously enrolled biometric template?
20
Physical Biometrics
Fingerprint Iris Retina Hand geometry Finger geometry Face geometry Ear shape
Palm print Smell Thermal face
image Hand vein Fingernail bed DNA
21
Fingerprint Scanners
HP IPAQDigital Persona U.are.U Pro IBM Thinkpad T42
22
False Acceptance/Rejection
False acceptance rate (FAR) incorrectly matches a bid sample to
an enrolled template this is very bad FAR must be very, very low
False rejection rate (FRR) fails to match a legitimate bid sample
to an enrolled template this is an annoyance FRR must be low if technique is to be
used
23
Fingerprints
70 points of differentiation (loops, whirls, deltas, ridges)Even identical twins have differing fingerprint patternsFalse acceptance rate < 0.01%False rejection rate < 1.4%Can distinguish a live fingerFast to enrollInexpensive (~$50-100) for the reader
24
Iris Scans
Iris has 266 degrees of freedomIdentical twins have different iris patternsFalse acceptance rate < 0.01%False rejection rate < 0.01%Does take some time and controlled lighting to enrollPattern is stored as a data template, not a pictureFlash light to detect pupil dilation (prove live eye)
25
Determining a Match
Enrollment produces a template Bid sample produces another template Hamming distance between them is
the degree of difference
011010101111011110000001...011010101100011110000111...
26
Determining a Match
Enrollment produces a template Bid sample produces another template Hamming distance between them is
the degree of difference
011010101111011110000001...011010101100011110000111...
27
Behavioral Biometrics
Signature Voice Keyboard dynamics
Alfred C. Weaver
28
Digital Techniques
PINs and passwords E-tokens Smart cards RFID X.509 certificates
29
eToken
Stores credentials such as passwords, digital signatures and certificates, and private keys
Some can support on-board authentication and digital signing
30
Smart Card
Size of a credit card Microprocessor and memory All data movements encrypted
31
RFID IC with antenna Works with a
variety of transponders
No power supply Supplies identity
information Susceptible to theft
and replay attacks
32
X.509 Certificates
Certificate issued by a trusted Certificate Authority (e.g., VeriSign)
Contains name serial number expiration dates certificate holder’s public key (used for
encrypting/decrypting messages and digital signatures)
digital signature of the Certificate Authority (so recipient knows that the certificate is valid)
Recipient may confirm identity of the sender with the Certificate Authority
33
Authentication Token
<TrustLevelSecToken> <CreatedAt> 2005-09-20T08:30:00.0000000-04:00 </CreatedAt> <ExpiresAt> 2005-09-21T08:30:00.0000000-04:00 </ExpiresAt> <UserID> 385739601 </UserID> <TokenIssuer> http://cs.virginia.edu/TrustSTS.asmx </TokenIssuer> <TrustAuthority> http://cs.virginia.edu/TrustAuthority.asmx </TrustAuthority></TrustLevelSecToken>
34
Authentication Token
<TrustLevelSecToken> <CreatedAt> 2005-09-20T08:30:00.0000000-04:00 </CreatedAt> <ExpiresAt> 2005-09-21T08:30:00.0000000-04:00 </ExpiresAt> <UserID> 385739601 </UserID> <TrustLevel> Fingerprint </TrustLevel> <AuthenticationMethod> Digital Persona U.are.U </AuthenticationMethod> <TokenIssuer> http://cs.virginia.edu/TrustSTS.asmx </TokenIssuer> <TrustAuthority> http://cs.virginia.edu/TrustAuthority.asmx </TrustAuthority></TrustLevelSecToken>
35
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
36
Security Assertion Markup Language (SAML)
Applications require interoperable security solutions that transcend the boundaries of single security domains
Interoperable exchange of security information is essential to enable web single sign-on distributed authorization services securing electronic transactions
SAML addresses these issues
37
SAML Assertions
An assertion is a declaration of facts about a subject
SAML has three kinds, all related to security:
authentication attribute authorization decision
38
SAML Conceptual Model
SAML
AuthenticationAssertion
AttributeAssertion
AuthorizationDecisionAssertion
AuthenticationAuthority
AttributeAuthority
Policy DecisionPoint
Policy EnforcementPoint
Policy Policy Policy
Credentials Collector
System Entity
Application Request
39
Authentication Assertion
An issuing authority asserts that subject S was authenticated by means M at time T
Example subject “Alfred C. Weaver” was authenticated by “password” at time “2005-09-18T10:02:00Z”
40
Example Authentication Assertion
<saml:Assertion> AssertionID=“128.9.167.32.12345678” Issuer=“Robotics Corporation” IssueInstant=“2005-09-19T10:02:00Z”> <saml:Conditions NotBefore=“2005-09-19T10:02:00Z” NotAfter=“2005-09-23T10:02:00Z” /> <saml:AuthenticationStatement> AuthenticationMethod=“password” AuthenticationInstant=“2005-09-18T10:02:00Z”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> </saml:AuthenticationStatement></saml:Assertion>
41
Attribute Assertion
An issuing authority asserts that subject S is associated with attributes 1, 2, 3… with attribute values a, b, c...
Example: “Alfred C. Weaver” in domain
“robotics.com” is associated with attribute “Position” with value “Plant Manager”
42
Example Attribute Assertion
<saml:Assertion …> <saml:Conditions …/> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> <saml:Attribute AttributeName=“Position” AttributeNamespace=“http://robotics.com”> <saml:AttributeValue> Plant Manager
</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement></saml:Assertion>
43
Authorization Decision Assertion
An issuing authority decides whether to grant the request: by subject S for access type A to resource R given evidence E
The subject could be a human or software
The resource is any object data, web page, web service, etc.
44
Example Authorization Decision Assertion
<saml:Assertion …> <saml:Conditions …/> <saml:AuthorizationStatement>
Decision=“Permit” Resource=“http://www.robotics.com/production.html”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“robotics.com” Name=“Alfred C. Weaver” /> </saml:Subject> </saml:AuthorizationStatement></saml:Assertion>
45
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
46
Federation
Web services single sign-on How can identity, once legitimately
established in one trust domain, be reliably and securely shared with another trust domain?
How does authentication transfer? What are you authorized to do in a
different trust domain?
47
Federated ATM Network
Account Numberand PIN
Home Bank Network
Visiting Bank Network
Funds Network of Trust
48
Yes
Administrative Decision
Admin
Get identityGet identitytokentoken 11
Requestor
IP/STS
Administrator decides on per request basis
22
33
Resource
49
Basic FederationDirect Trust Token Exchange
TrustTrust
Get identityGet identitytokentoken
Get accessGet accesstokentoken11
33
22
IP/STS IP/STS
Requestor
Resource
50
Indirect Trust
Trust
TrustTrust
Trust
C trusts B which vouches for A who vouches for client
11
33
CC
BB
AA
IP/STS
IP/STS
IP/STS
Requestor Resource
22
51
System Design
52
Outline
Motivation for data security Proposed security architecture
Web services Trust Authentication Authorization Federation
Research issues
53
Research Challenges
Authentication tokens SAML permits enumeration, but not
substitution, of acceptable tokens Trustworthiness varies even within a
technology, but SAML does not capture this distinction
Our TrustLevel concept is just a beginning; trust is more complicated than a number
54
Research Challenges
Authorization rules Human organizations are complex,
and so are their rules Role delegation Human/computer interface
55
Research Challenges
Federation Currently an infant science Many issues surround trust
management establishment representation exchange enforcement storage negotiation
56
Research Challenges
Tools and techniques how to specify access policies locate policy inconsistencies human/computer interface
Formalisms need formal methods to structure our
thoughts, processes and implementations
need proofs of correctness
