References: Wikipedia Authentication world: Audun Jøsang and Simon

Transkript

1 References: Wikipedia Authentication world: Audun Jøsang and Simon Pope, "User Centric Identity Management", CRC for Enterprise Distributed Systems Technology (DSTC Pty Ltd) and The University of Queensland, 4072, Australia, fajosang, AusCERT Conference 2005 Glossary for the OASIS Security Assertion Markup Language (SAML) V os.html SWITCH Authentication and Authorization infrastructure (SWITCHaai) Roger Clarke, "Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice", Principal, Xamax Consultancy Pty Ltd, Canberra Visiting Fellow, Department of Computer Science, Australian National University, Version of 30 April

2 2

3 3

4 Data about helpdesk workload and cost seems to be rather unreliable Gartner Group: 20$ each call for password reset PriceWaterhouse Coopers: 40% of all helpdesk calls are password related. Password handling costs 210$ per user and year Derek Brink (RSA): Claimed 30-50% of all helpdesk calls password-related. 80$ per helpdesk call. Compaq: 30% of all helpdesk calls are password related $ per call. Morgan Keegan & Co.: 25-35% of helpdesk calls password related $ per user and year. Forrester Research: 80% of helpdesk calls are password-related. Single sign-on systems could enable a company to reduce its helpdesk by 40% savings of nearly $4.4 million for company with 20'000 users. Burton Group (Enterprise Single Sign-On: Access Gateway to Applications, Phil Schacter, 22 September 2005: Each call to an IT-help desk costs between $25 and $50, and typically 35% to 50% of help desk calls in an organization are password related. IT_Sec: Mit der Einführung von it_sec_signon reduzierten sich die passwort-basierten Helpdesk- Calls signifikant von Passwort bezogenen auf 750 PIN bezogene Helpdesk-Calls per Mitarbeiter pro Monat. >>> Das würde aber bedeuten, dass 86% der Mitarbeiter einmal pro Monat den Helpdesk anrufen wegen Passwort-Problemen, was eher unwahrscheinlich ist! Analyses have shown that 30% of calls to a Help desk concern a loss of identifier or a password problem. 4

5 Single sign-on (SSO) is a specialized form of authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. Enterprise Reduced Sign-On consolidates the multiple sign-ons required by individual applications to reduce employees' password and user ID combinations. The term enterprise reduced sign-on (ESSO) is preferred by some authors because they believe single sign-on to be a misnomer: "no one can achieve it without an homogeneous IT infrastructure. Web single sign-on (WSSO), also called Web access management (Web- AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource. The term reduced single sign-on (RSO) is sometimes used for single sign-on solutions based on passwords because passwords provide the least secure authentication mechanism. 5

6 Passwort Synchronisation: Benutzung eines Passwortes für mehrere Anwendungen (z.b. Directory (LDAP) basierte Authentifizierung) Passwort Policies, welche weniger Passwort-Wechsel fordern Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) SSO-Nutzen aus der Sicht verschiedener Stellen: Manuelle Eingabe der Benutzerdaten an mehreren Stellen (HR, Corporate Directory, Notes, andere Applikationen) führt leicht zu inkonsistenten Benutzerdaten (teuer, fehlerintensiv, erhöht Verletzlichkeit d.h. schlechtere Sicherheit der Daten) Within a company, the value associated with Single Sign-On (SSO) is to improve user efficiency, IT team productivity and Information System Security. Improved User efficiency: the convenience it offers the users, releasing them from the constraint of having to manage large numbers of identifiers and passwords. IT Team productivity: SSO usually results in significant password help desk cost savings, significant gains in IT department productivity Improved Information System Security: reduces the number of trivial passwords, improves the password handling by the users, gives better ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise. Removes application developers from having to understand and implement identity security in their applications. 6

7 Identity management has two main parts: 1. Issuing users with unique identifiers and credentials during the initial registration phase 2. Authenticating users and controlling their access to services and resources An identity domain is a domain where each identity is unique. A name space of unique identifiers in a domain allows a one-to-one relationship between identities and identifiers. A pseudonym may be used as unique identifiers in some systems for privacy reasons in order to provide an anonymous identity. The pseudonym is an identifier where only the party that assigned the pseudonym knows the real world identity behind it. The pseudonyms can be self-assigned, so that the real world identity (e.g. legal persona) behind the pseudonym is only known by the owner, and otherwise is hidden to all other parties. Alternatively, the pseudonym can be denied and escrowed by a trusted third party who knows the real world identity, and who is able to reveal it under special circumstances such as law enforcment. 7

8 Identität (v. lat.: idem = derselbe) bezeichnet die Unterschiedlichkeit eines bestimmten Wesens (z.b. eines Menschen oder einer Sache). Hin und wieder wird der Begriff auch unscharf für die Einzigartigkeit (Individualität) eines Wesens gebraucht. Identifizierung ist der Vorgang, der zum eindeutigen Erkennen einer Person oder eines Objektes dient. Identifizierung ist nicht zu verwechseln mit Identifikation, der Einfühlung in einen anderen Menschen. Identification is a process whereby a real-world entity is recognized, and its 'identity' established. A Subject is a principal in the context of a security domain. A Principal is a system entity whose identity can be authenticated. A digital identity refers to the digital representation of a set of claims made by a digital subject about itself. A digital subject can be human or non-human (devices, computers). One s identity is often described by one's characteristics, among which may be any number of identifiers. An identified record or transaction is one in which the data can be readily related to a particular individual. An identifier is a data object (for example, a string) mapped to a system entity that uniquely refers to the system entity. A system entity may have multiple distinct identifiers referring to it. An identifier is essentially a "distinguished attribute" of an entity. Digital identifiers are strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.). 8

9 Recently, AOL violated the privacy of users by publicly releasing three months of search query records. Search terms can expose the most intimate details of a person's life. These records could be connected back to you and cause you great harm. Would you want strangers to know where you or your child work or go to school? How about everyone seeing search queries that reference your financial information, medical history, sexual orientation, or religious affiliation?" An anonymous record or transaction is one whose data cannot be associated with a particular individual, either from the data itself, or by combining the transaction with other data. Anonymity is the condition of having a name or identity that is unknown or concealed. A pseudonymous record or transaction is one that cannot, in the normal course of events, be associated with a particular individual. A Persistent Pseudonym is a privacy-preserving name identifier assigned by a provider to identify a principal to a given relying party for an extended period of time that spans multiple sessions. A Transient Pseudonym is a privacy-preserving identifier assigned by an identity provider to identify a principal to a given relying party for a relatively short period of time that need not span multiple sessions. 9

10 Reference: MICHAEL BARBARO and TOM ZELLER Jr., Published: August 9,

11 Authentifizierung (v. griech. authentikos für Urheber, Anführer ) ist der Vorgang der Überprüfung (Verifikation) der behaupteten Identität eines Gegenübers, beispielsweise einer Person oder eines Computersystems in einem Dialog. Authentisierung ist der Vorgang des Nachweises der Echtheit der eigenen Identität bzw. der Identifikation des eigenen Subjekts. Der Nachweis der Echtheit erfolgt in einem bestimmten Kontext (z.b. Echtheit bzw. Unverfälschtheit eines Datensatzes - Im Englischen steht das Wort Authentication sowohl für den Nachweis der eigenen Identität (Authentisierung) als auch für die Überprüfung der behaupteten Identität (Authentifizierung). Authentication is the confirmation of a system entity s asserted principal identity with a specified, or understood, level of confidence. Authentication is a general term referring to the process whereby a degree of confidence is established about the truth of an assertion. A common application of the idea is to the authentication of identity. This is the process whereby an organization establishes that a party it is dealing with is: a previously known real-world entity (in which case it can associate transactions with an existing record in the relevant information system); or a previously unknown real-world entity (in which case it may be appropriate to create a new record in the relevant information system, and perhaps also to create an organisational identifier for that party). Credentials are data that is transferred to establish a claimed principal identity. 11

12 There are several ways to authenticate/prove the identity of a user: 1. The user presents something they know, such as a password. This approach is known as a Knowledge factor. (PIN = personal identification number) Passwords are the most common method of using confidential knowledge to authenticate users. Easy to administrate and convenient for most users, passwords are also the least expensive method of user authentication. Unfortunately, passwords have some drawbacks. Often, user-selected passwords are very short and simple, which makes them easy to guess. 2. The user presents something (physical) they have in their possession, such as a key or a card. This approach is known as a Possession factor. To authenticate users digitally people provide them with tokens that contain a digital code. Tokens are available as both hardware and software. They may generate a different code within regular time intervals or upon request (e.g. upon reception of a challange ). These tokens may also be smart cards, similar in size to a standard credit card which is inserted into a card reader as part of the authentication process. They may contain a digital certificate and they are usually presented in combination with a password or Personal Identification Number (PIN). 3. The user presents a personal physical attribute, such as a fingerprint or a retinal scan. This approach is known as a Being factor. Authentication approaches which us two factors to achieve authentication are called Two-Factor Authentication. In this situation people do also use the term Strong Authentication. 12

13 Autorisierung ist die Einräumung von Rechten gegenüber Anderen. In der Informationstechnologie bezeichnet die Autorisierung die Zuweisung und Überprüfung von Zugriffsrechten auf Daten und Dienste (bzw. auf Ressourcen) an Systemnutzer. Die Autorisierung erfolgt typischerweise erst nach einer erfolgreichen Authentifizierung. Authorization is the process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a subject is authenticated, it may be authorized to perform different types of access. 13

14 Isolated User Identity Management might provide simple identity management for service providers, but is rapidly becoming unmanageable for users. The explosive growth in the number of online services based on this model results in users being overloaded with identifiers and credentials that they need to manage. Each Service Provider (SP) has also an Identity Provider (IdP). 14

15 15

16 In a Common User Identity Model a separate entity or single authority acts as an exclusive user identifier and credentials provider for all service providers. All service providers are using the same set of identifier and credential. This could, for example, be implemented by having a PKI where a single Certificate Authority (CA) issues certificates to all users within the domain. The identifier name space can for example be the set of Internet addresses that in fact are globally unique. In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have one or single authentication credentials. e.g. say in an organization stores its user database in a LDAP database. All Information processing systems can use such a LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization wide. 16

17 Zentral ist die AD-Infrastruktur, welche physisch durch eine Anzahl logisch verknüpfter Domänen-Controller implementiert ist. Logisch kann man das AD von aussen (d.h. von ausserhalb der Windows-Systeme) auch als LDAP-DB betrachten und verwendet. Windows-Server und -Clients sind im AD integriert, d.h. - Ihre Policies werden vom AD definiert -Technische und persönliche User können im AD verwaltet werden. -Alle User können im AD authentisiert werden. Nicht-Windows-Objekte (Clients, Server) können User im LDAP authentisieren 17

18 The Single-Sign-On Identity Model allows a user being authenticated by one service provider, to be considered authenticated by other service providers. This is commonly called a Single Sign-On (SSO) solution because the user then only needs to authenticate himself (i.e. sign on) once to access all the services. The same identifier is used by every service provider. Single-Sign-On Identity solutions are for example: Kerberos based authentication solutions, where the Kerberos Authentication Server acts as the centralized identifier and credential provider. Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications. Microsoft.Net Passport, where addresses are adopted as user identifiers the credential issuance and authentication are centralized functions under Microsoft s control. The JA-SIG Central Authentication Service (CAS) is an open single sign-on service (originally developed by Yale University) that allows web applications the ability to defer all authentication to a trusted central server or servers. Numerous clients are freely available, including clients for Java,.Net, PHP, Perl, Apache, uportal, Liferay and others. 18

19 Das Swisscom Login ersetzt Ihre bisherigen Benutzernamen und Passwörter von Swisscom Fixnet und Bluewin. Mit jeweils nur einem einzigen Benutzernamen und Passwort haben Sie so Zugriff auf alle Dienste, die Sie häufig in Anspruch nehmen. Das einheitliche Swisscom Login gilt für folgende Dienste -Webmail ( im Browser) -Festnetzrechnung Online -Kundencenter (z. B. Umzug melden) -SMS-Box -TV-Guide -Weitere Dienste (Online-Album, HomepageTool, Webhosting) Aus Sicherheitsgründen gibt es jedoch Ausnahmen, die weiterhin ein eigenes Login benötigen. Das automatische Einloggen dank Swisscom Login funktioniert nur, wenn Browser Cookies akzeptiert werden. 19

20 In a federated identity domain, agreements are established between service providers so that identities from different service providers i.e. identity domains are recognized across all domains. These agreements include policy and technology standards. A mapping is established between the different identifiers owned by the same user in different domains, that links the associated identities. This results in a single virtual identity domain. When a user is authenticated to a single service provider using one of their identifiers, they are considered to have been identified and authenticated with all the other service providers as well. Each service provider does it s own authorization, once the user is known. Standards/frameworks for identity federation include the OASIS Security Assertion Markup Language (SAML) and the Liberty Alliance framework. Shibboleth is an extension of SAML. 20

21 21

22 A federation is a collection of organizations that agree to interoperate under a certain rule set. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers. 22

23 Shibboleth Project Home Page Die Architektur von Shibboleth besteht aus drei Teilen: Identity Provider welcher sich bei der Heimateinrichtung befindet Service Provider welcher sich beim Anbieter befindet Lokalisierungsdienst oder WAYF (Where are you from?) der optional eingesetzt werden kann, um die Heimateinrichtung des Benutzers zu lokalisieren. 23

24 AA Attribute Authority AAP Attribute Acceptance Policy ACS Attribute Consumer Services AR Attribute Requestor ARP Attribute Release Policy HS Handle Service (SSO and Artifact Resolution Services) IdP Identity Provider RM Resource Manager SP Service Provider SSO Single Sign On WAYF Where Are You From Server Shibboleth Process Steps 1 User wants to access a protected Resource hosted by a Service Provider (SP). 2 Redirection to WAYF server. 3 User selects home organisation as her Identity Provider (IdP). 4 Redirection to Identity Provider 5 User is prompted for his Credentials (personal secret). 6 Upon successful authentication the user is redirected by the IdP back to the SP. The reply contains a Handle in the form of a signed SAML assertion. 7 The SP uses the Handle to request the User s Attributes from the IdP. 8 Based on the ARP, the IdP returns a selection of User Attributes in a SAML assertion. 9 Based on the AAP, the SP decides which User Attributes are forwarded to the RM. 10 Based on the Attribute values, the RM decides if the User is authorized to access the Resource. 24

25 The User Centric User Identity Management lets users store identifiers and credentials from different service providers in a single tamper resistant hardware device which could be a smart card or some other portable personal device. Because its main purpose of authentication, the device is typically called a personal authentication device (PAD). The user must authenticate himself to the PAD, e.g. with a PIN, before the PAD can be used for authentication purposes. Many different authentication and access models can be imagined with a PAD. In case the PAD has a keyboard and display, a simple solution could for example be to retrieve from PAD memory a static password, or let the PAD generate a dynamic password, that the user then can type into the login screen of the service provider. A more advanced solution could be to connect the PAD to the client platform via a communication channel such as bluetooth or wireless LAN, or to let the PAD communicate directly with the server through a secondary channel. This would allow the PAD to be fully integrated into the authentication process. The functionality of a PAD could be integrated into other devices such as a mobile phone or personal digital assistant (PDA) which many people carry already. Using a mobile phone would also allow advanced solutions such as registration and challenge- response authentication through a mobile secondary channel. With a PAD connected to the client platform, virtual SSO solutions are possible. This could be implemented by letting the PAD automatically authenticate itself on behalf of the user as long as the PAD is connected to the client platform. The advantages of the user-centric user identity management architecture are that 1) the user only needs to remember one credential (e.g. the PAD PIN), 2) that virtual SSO is possible, and 3) that the traditional legacy identity management models described in Sec.3 can remain unchanged. Enterprise single sign-on, also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. ESSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping. 25

26 Modern browsers provide virtual SSO capabilities for users so they do not have to remember their usernames or passwords for web sites. A master password protects the PKCS11 security device, which can be either a software or hardware device that stores sensitive information associated with their identity, such as usernames and passwords, keys and certificates. The part of Firefox that can help you remember some or all of your names and passwords by storing them on your computer's hard disk and entering them for you automatically when you visit such sites. Security Option Remember passwords for sites : Firefox can securely save passwords you enter in web forms to make it easier to log on to web sites. Security Option Use a master password : Firefox can protect sensitive information such as saved passwords and certificates by encrypting them using a master password. If you create a master password, each time you start Firefox, it will ask you to enter the password the first time it needs to access a certificate or stored password. Security Option Show Passwords : You can manage saved passwords and delete individual passwords by clicking the View Saved Passwords button. 26

27 ewallet password manager ( Synchronize your wallets quickly with the easy-to-use Sync Setup interface. Keep your data current everywhere! Sync to multiple PDAs, UMPCs, laptops, network computers, even remote locations on the web - there is no limit. View your data from remote computers using our built-in access to FilesAnywhere Online Storage. Protect your important information with strong 256-bit RC4 encryption. Organize your info how you want it with nested categories. ewallet lets you have categories in other categories. RoboForm2Go ( ) A U3 smart drive makes any PC your own PC. And when you unplug it, it leaves no personal data behind. (see also Take your passwords, contacts and personal identity with you and securely login to any web site. With your USB drive connected, launch Internet Explorer (plug-ins are available for Netscape and Mozilla Firefox, too), and the Pass2Go toolbar will appear. Either manually input your login information into Pass2Go or just visit a site. 27

28 Das User centric model (password store) dürfte im Konsumerbereich die besten Chancen für eine Verbreitung von SSO oder Reduced-SSO. In diesem Zusammenhang sei auf die Macht der Konsumer hingewiesen: 1. Heimanwender verfügen heutezutage über Werkzeuge, welche vor wenigen Jahren nur für Profis erschwinglich waren (z.b. Dokumentverarbeitung, Audio-, Bild-, Video-Editing) 2. Viele Technologien / Werkzeuge kommen heutzutage beim Heimanwender zum Einsatz bevor sie in den Firmen zu Verfügung gestellt werden (z.b. Desktop Search, VoIP). Konsumer oder wenigstens gewisse Konsumentenorganisationen kämpfen am vehementesten für Personendatenschutz (Privacy). In diesem Zusammenhang ist ein gewisser Konflikt zwischen SSO und Privacy zu beachten. 28

29 Verhaltensweisen, Produkte und Technologien aus der Welt der Privatkonsumenten beeinflussen zusehends die Business-IT. Gartner nennt diesen Prozess «Consumerization». Auf diesem Weg könnte auch User centric SSO den Weg in die Busines-IT finden. Die Radaranwendung wird hier als Beispiel für Profitools für Amateure aufgeführt. 29

30 Most infomediary software did not get widely used. But it was certainly a push for the big browser companies to offer similar functions in their products. Blocking of 3rd party cookies is today supported in most browsers. 30

31 Der P3P-Standard wurde im W3C entwickelt und vor allem von AT&T vorangetrieben. P3P wollte Inhaltsanbieter und Inhaltskonsumenten helfen, Datenschutzvorstellungen und Richtlinien in Einklang zu bringen. In der Privacy Policy beschreibt der Anbieter, wie er Personendaten handhaben will. Der Konsument beschreibt in seinen Privacy Preferences, welche Personendaten er unter welchen Umständen freigeben will. Mit P3P kann überprüft werden, ob die Privacy Preferences des Konsumenten die Lieferung von Informationen entsprechend den Privacy Policies des Informationsanbieters erlauben oder nicht. Ein P3P-Enabled User-Agenten sind noch kaum verfügbar. Folgende Browser unterstützen wenigstens teilweise P3P: Privacy-Bird (Plugin für Internet Explorer) Microsoft Internet Explorer 6 (Cookies) Mozilla (ist nicht im aktuellen Release integriert) Opera (will P3P in Zukunft unterstützen). 31

32 Ein genauer Blick in die IE7-Einstellungen zeigt, dass 3rd-Party Cookies bei der Standardeinstellung akzeptiert werden, wenn der Absender des 3rd-Party Cookie eine Datenschutzrichtlinie liefert. 32

33 Citi Identity Theft Solutions This free service for Citi cardholders will help you get your life back if you suspect you've been a victim of identity theft. One of our Identity Theft Specialists will provide you with the support you need every step of the way until your case is closed. Remember, you have $0 liability, which means you won t have to pay for any unauthorized charges on your Citi card. (commercials ) Identity Theft Example of a Chief of Police: 33

34 34

35 35