Date post: | 28-Jul-2015 |
Category: |
Technology |
Upload: | adam-lewis |
View: | 37 times |
Download: | 0 times |
Adam LewisOffice of the CTO
Mike KorusOffice of the CTO
IDENTITY 101
3
IDENTIFICATION
WHO ARE YOU?
AUTHENTICATION
CAN YOU PROVE IT? WHAT DEGREE OF ASSURANCE?
AUTHORIZATION
OK, I BELIEVE YOU. I GET TO DECIDE WHAT YOU GET TO DO OR NOT.
4
IDENTITY 1.0AND WHY IT DOESN’T WORK ANYMORE
Identity Today: Application SILOS
5
APPLICATION 1 APPLICATION 2
IDENTITY = ALICE.SMITH
PASSWORD = 2DAQREF4ERQL
PASSWORD CHANGE MANAGEMENT = 30 DAYS
Application / Service Provider Application logic
APPLICATION 3
IDENTITY = Alice-22
Password = ABC123PASSWORD CHANGE MANAGEMENT = NEVER
Application / Service Provider Application logic
IDENTITY = ALICE PASSWORD = ABC123
PASSWORD CHANGE MANAGEMENT = 90 DAYS
Application / Service Provider Application logic
Each application = Identity provider, Service provider
Why Identity 1.0 is Broken
6
THE USER THE ADMIN THE DEVELOPER
It gets worse.
Credentials
Users
Mobile.
Cloud.
The Perimeter has Dissolved.
Sharing of Information& Resources.
The Good ol’ Days. Users, their credentials,and the information they accessed wereall within the secure perimeter of the Enterprise.
WHERE WE HAVE BEEN
9
Home AgencyApps
10
REGIONAL APPLICATIONS
HOME AGENCY APPS
11
REAL LIFE IDENTITY… AND WHAT WE CAN LEARN FROM IT
REAL-LIFE IDENTITY
12
BOB
IDENTIFY: “HI, I’M BOB”AUTHENTICATE: “PROVE IT”
1.DMV
“I HAVE AUTHENTICATED YOUHERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU AS WELL AS SOME ATTRIBUTES OF YOU”
2.
REAL-LIFE IDENTITY
STATEBORDERS
IDENTITY 2.0… BUILT FOR A DEPERIMITERIZED WORLD
Identity 2.0
IDENTITY: “I AM OFFICER BOB”AUTHENTICATE: “PROVE IT”
CREDENTIALREPOSITORY
AgencyIdM FUNCTION
1.
BIOMETRIC
***********
PASSWORD SMART CARD
I HAVE AUTHENTICATED YOU, BOB. HERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU …AS WELL AS SOME ATTRIBUTES OF YOU.
2.
Name: Officer BobAgency: Schaumburg Police DepartmentRole: SergeantLanguages: English, Spanish, RussianQualifications: Firearms, CPRContact-mobile: 847-555-1234Contact-email: [email protected]
User Authentication: RSA 2-factorSigned by: Village of Schaumburg IdM
Identity 2.0
17
Separation of Identity Provider and Service Provider functionality
Identity 2.0 is the separation of the Identity Provider from the Service Provider
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
Centralized Credential Management
19
IDENTITY PROVIDER APPLICATION 1
Service Provider Application logic
Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider
APPLICATION 2
Service Provider Application logic
Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider
Identity = Alice Password = abc123
Attribute-1 (e.g. email)Attribute-2 (e.g. phone number)Attribute-3 (e.g. dept. no)
Password change management = 90 days
Password complexity rulesPassword reuse rules
Activate accountSuspend accountDelete account
INTEGRATES WITH AGENCY’S EXISTING IDENTITY MANAGEMENT SYSTEM (E.G. ACTIVE DIRECTORY)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
Enter your password
***********
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
23© 2014 Motorola Solutions, Inc.
IDENTITY FEDERATION
LOCAL POLICE AGENCY REGIONAL OR NATIONWIDE APPLICATIONS & SERVICES
CAD VIDEOPTT
LOCAL AUTHORIZATION CONTROL
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
• Strong Authentication
Strong Authentication
25
76% of 2012 network intrusions exploited weak or stolen credentials
In 2007, ~30 vendors in authentication. Approximately 12 new vendors have been added per year. Today there are over 100 vendors.
Source: PingIdentity
AT WORK AT HOME
Memorization
One Constant: CHANGE
Re-Use
Avoid Change
The average corporate user maintains 15
passwords within both private and corporate
spheres
• Like the cockroach…
…passwords will outlive us all
• But that does not mean ….
…. we shouldn’t try to exterminate them
STRONG AUTHENTICATION
28
SOMETHING I AMSOMETHING I HAVESOMETHING I KNOW
CJIS REQUIRES STRONG AUTHENTICATION – MSI HAS SOLUTIONS TO MEET THOSE NEEDS TODAY
• The Identity problem– Who are you
– Prove it
– how confident are we in the “proofing”
• Federal Standards defined “how certain”– Level Of Assurance (LoA)
– Defined in M-04-04 (Dec 16, 2003)
• EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF MANAGEMENT AND BUDGETOMB LoA Description
Level 1 Little or no confidence in the asserted identity’s validity.
Level 2 Some confidence in the asserted identity’s validity.
Level 3 High confidence in the asserted identity’s validity.
Level 4 Very high confidence in the asserted identity’s validity.
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
AROUND THE WORLD IN 80 DAYS… GLOBAL TRENDS IN IDENTITY
UNITED STATES
32
INTERNATIONAL
33
34
CLOSING THOUGHTS… AND THINGS TO REMEMBER
PILLARS OF IDENTITY 2.0
35
WHAT DO YOU GET?
MOBILE FRIENDLY
CLOUDREADY
INDUSTRY DOMINANT
OPEN STANDARDS
CENTRALIZED CREDENTIAL
MANAGEMENT
SINGLESIGNON
FEDERATION:PORTABLE &
INTEROPERABLE
STRONGAUTHENTICATION
36
In a deperimiterized mobile & cloud world, where first responders are accessing information – located anywhere – from anywhere – Identity *IS* the new perimeter
37
July 17, 1996: Emergency services personnel from Suffolk County, NY and the United States Coast Guard respond to a report of a catastrophic explosion and the crash of a passenger airliner over the ocean off the southern coast of Long Island. The initial assumption is a nexus to terrorism. The East Moriches Coast Guard Station is designated as the operations command post, staging area, and evidence collection point. As the incident shifts from response to recovery, personnel from various response disciplines and levels of government stream into the station. Among them is Lieutenant Colonel David Williams of the U.S. Army Reserve. LTC Williams, dressed in his U.S. Army Reserve flight suit, presents identification, enters the site, and assists in the operation by landing helicopters on the designated helipads. On the third day of his work, LTC Williams is questioned concerning his identity and affiliation. Following a brief investigation, LTC Williams is identified as an impostor, escorted from the property, and charged by the Suffolk County Police.
September 11, 2001: When the Pentagon was struck it resulted in a massive response of public safety personnel from fire, EMS, and police. Given the technology used at the time, it was impossible to authenticate and validate emergency responders at a pace necessitated by the disaster. While the majority of emergency responders already had identification cards, their credentials were not recognized at all levels of government or by the various jurisdictions. The incident commanders on site either had to assume that people were who they said they were, or they had to deny or delay access of critical emergency personnel to the crash scene. This same scenario could be applied to any disaster at any secured building in any city or state.
• Single Factor: Choose ONE OFSOMETHING I
AMSOMETHING I
HAVESOMETHING I
KNOW
Strong Authentication
Advanced Authentication
• Multi Factor: Choose TWO OR MORESOMETHING I
AMSOMETHING I
HAVESOMETHING I
KNOW
• User Authentication - FactorsSomething I Know Something I Have Something I Am
Pin Smart badge Brainwave (EEG)
Password/Phrase OTP Token Heart Rhythm (ECG)
Gesture Key Fob (Yubico) Voice
Shape Smartphone/Tablet Fingerprint
Pattern Bio-stamp/Tattoo Finger/hand vein
Wearable Iris scan
Facial scan
NFC Ring
PIVOTP
• 1. REMOTE ACCESS
• CJIS MANDATES STRONG AUTHENTICATION
• 2. PHYSICAL ACCESS
• FRAC CARDS FOR INTEROPERABILITY
• 3. DEVICE ACCESS
• SENSITIVE DATA ON DEVICES & OPEN SESSIONS
Authentication for Public Safety
• Think To Authenticate– Started as “brain fitness”
– Your brainwave is unique
– Focus on a thought
– Some Difficulties• Slow
• Focus
• Very early research
NeuroSky
• Key Stroke to authenticate– Something I know (simplified Password)
– Something I am• Dwell time
• Flight time
– Stops password sharing
• EKG to authenticate– Your EKG is unique
– Not affected by caffeine or exercise• Heart rate, yes
• EKG characteristics, no.
– How many sensors?• Hospital = 12
• Authentication = 2
– Communicates to your device • Bluetooth
• NFC
Bionym
• Smartbadge Tap to authenticate – Uses NFC Technology
• Standard supported by most smartphones
– Federal PIV card standards• Personal Identity Verification card
• FIPS PUB 201-2
– PIV-I/FRAC cards• First Responder Authentication Credential
• Future capability– Smartbadge turns your phone into a badge
– Draft NIST SP 800-157 Card emulation on radio
Tap Smart Card
LOGON
• Continuous authentication– Is it “still you”
– Is it “still you”
– …
– Is it “still you”
Feature extraction &Template creation Database
BE BE’
Database
Matching Function
ID
BA BA’UserBE’
ID
User
Enrollment
Authentication
Feature extraction &Template creation
Decision (Y/N)
Database
Matching FunctionBI BI’User
Identification
Feature extraction
Identity
Sensor
Sensor
Sensor
SubmitBiometric
Verifying Access secret
Verifies
Success =Access secret
Application server: “prove you can lock
this” with secretSubmit factor 1e.g. biometric
biometric never leaves device Challenge/response handshake
Security Cost
UX
• Tiered to needs• Policies• Federation• Secure elements (TEE, uSD…)
• Key for adoption• Unobtrusive/stealthy• Shared Devices (load profiles)
• Leverage commercial Tech• Standards
Security isn’t an afterthought; it’s a stream of consciousness.
– Back to beginning• It ties into identity management
• It’s the “primary authentication”
• What you use at work, can be applied to home
SubmitBiometric
Access secret
Verifies
Success =Access secret
Application server: “prove you can lock
this” with secretSubmit factor 1e.g. biometric
biometric comparison on device or on card
Challenge/response handshake
Verifying
• Assets require “user” access controls?– Records management
– CAD
– CJIS
– Location
– Messaging
– Logging
– PTT services (?)
– …
• Single Factor or Multifactor
• Device or User Authentictaion
• Most of this is standards– Standards
• NIST
• FIDO
• Global Platform
• Technology Enablers• Secure elements (CRYPTR micro)
• TEE
• Wireless tokens/secure elements
• Wearable Biometrics