TLS-Federation. Dr. Bud P. Bruegger. Dr. Detlef HühnleinH. Prof. Guido Marinelli. U.Rome Tor Vergata (Italy) Comune di Grosseto (Italy)

Transcription

1 TLS-Federation Dr. Bud P. Bruegger Dr. Detlef HühnleinH Prof. Guido Marinelli Comune di Grosseto (Italy) Secunet (Germany) U.Rome Tor Vergata (Italy)

2 Scope full eid IOP framework for EU MSs any eid technology (Manchester Declaration) full I local token, remote IdP X.509 (smartcard, soft),, non-x.509 (ACC),, uname/pwd,... full Idenfitifcation Authentication Signature initial focus: Basic service access like Belgium Reverse Proxy A + I (consistent person identifier) base excluded/complementary: Trust Mgmt, BridgeCA.. support ignature support

3 Category Base functionality: Mature Technology: existing and very mature IETF standards (TLS 1.0 stable since 1999) uses off-the-shelf, ubiquitous technology Advanced functionality: Privacy enhancements Access to identity data on eids (authentic src) Technology (and legal) Research

4 Problems Targeted (1) Federation (any eid technology) Strong Authentication high security (ident. theft) IOP framework weakest link eid IOP framewrk SP Access to Identity Data on eids (authentic src) standard protocol for remote access (IdP or Service Provider) manage diversity of formats (current eids: parsing, validation) map to standard format(s) (SAML, ICAO LDS?) privacy enahance (partial identities) under user-control (integrate with Cardspace/Higgins?)

5 Problems Targeted (2) Privacy enhancement Gradual migration strategy from todays eids to privacy enhanced credential system Austrian sector identifiers adapted to X.509 (linkability) Partial identities (minimal disclosure) Ease of Rollout very conservative technology choice (TLS 1.0 since 1999) existing PKI/eID infrastructure normally sufficient User-centric approach Large Scale Pilot middleware approach

6 SSL/TLS = workhorse of strong auth Mature, stable, secure, ubiquitous Google: Google: strong auth + SSL: 220,000 eids: BE: strong auth + Liberty: 21,900 reverse proxy (TLS) techn annex of law (TLS handshake) TLS is THE way TLS is THE way IT: EE: IS:.. other X.509/PKI eid countries

7 TLS eid IOP: Demonstrated Porvoo Group: Open Source eid IOP Demonstrator Autentication with: BE, EE, FI, IT (client and server) Demos: World eid 2005, Porvoo 8; Presented: 2 nd Modinis-IDM WS Easy to extend: X.509 eids (smartcard or soft) Internationally unique identifier namespace Extension of proven Belgium reverse proxy Limitations: Non X.509 credentials (Austrian ACC, username/pwd, etc.) Solution: TLS-Federation Privacy enhancement (AT-style sector-specific IDs, partial ident.)

8 TLS-Federation Concepts Browser middleware interfaces to eid X.509 eid uses existing middleware Non-X.509 eid: Middleware interfaces to IdP (on the fly CA) IdP converts natl. credential to X.509 cert Comparable to SAML assertion, WS-* claim supports any national credential technology compatible with privacy enhancement

9 Auth. Architecture Identity Provider Convert natl. credential to X.509 Privacy enh. standard cert. sign. request u/pwd credential Browser Middleware Austrian ACC X.509 cert TLS client-cert-auth challenge/response X.509 eid Service Provider interface to national choice of eid creates keypair (if necessary) auth. credential identity data (authentic src)

10 Standards and SW Standard X.509 CA Identity Provider Functionality of German ELSTER tax app: 80 Mio. trans/yr IETF RFC 2510 Cert Mngmt Protocols u/pwd credential Browser Middleware Austrian ACC CSP PKCS#11 IETF RFC 2246 TLS X.509 eid Service Provider Standard HTTPd: Apache mod-ssl IOP handler Existing middleware for plain X.509 eids new middlew. based on existing library for others

11 Privacy Enhancement (1) Best Practices: Linkability AT: sector-specific dynamic IDs BE: legislation that prevents large scale linkability IT: zero-disclosure X.509 certificates (CIE eid) Migration Steps: Service Provider derives sector IDs (inexpensive, immediate) IdP derives reusable sector IDs (managed by user-agent -agent) IdP derives fully dynamic one-use IDs

12 Identity Provider validate parse partial identity reformat to standard (SAML?) Privacy Enhancement (2) minimal disclosure standard protocol for remote access (UPI) eid Middleware propr. format identity data (authentic source) Browser files Service Provider Mult. Protocols? UPI Cardspace/WS-* Liberty (local IdP) reusable partial identities user choice identity agent?

13 Status So far: unfunded, informal project Basic service access: almost ready for use German ELSTER: high-vol gov app uses same approach SMILE FP7 proposal: federation demo for ACC, u/pwd Basic privacy enh (service prov): almost ready Advanced privacy enh: research Draft paper (Grosseto, indept. Center for Privacy Prot. Schleswig-Holstein, KU Leuven, TU Graz) SMILE FP7 proposal Access to eid identity data: research Need, Concept ratified : BE, AT, EE, IS, IT,.. (PPP eid WG) SMILE FP 7 proposal

14 Relevance for eid IOP Cheap and simple solution for eid-enabling services on web (all sectors) Strategy to avoid large-scale linkability due to X.509 eids with unique identifier non-intrusive way of harmonizing identity data formats Migration strategy to gradually improve privacy of existing X.509 eids when need is perceived by MSs

15 Pro's Based on stable and mature standards by IETF Ubiquitous, conservative technology (SSL/TLS/X.509) Simple, straight forward, Secure PKI/X.509 countries: works out of box (easiest rollout, most likely replication) Strong auth: also in IOP framework (high security) non-intrusive retrofit of privacy enh. to existing eids

16 Con's Unfunded, informal project: Incompletely documented Little dissemination/awareness (gov./ind.) Slow progress (SMILE FP7 proposal) User-centric but not (yet) integrated with Cardspace/Higgins (Microsoft Gov. Security Program Italy?)

17 Relationship with other models Alternative to Liberty Alliance and WS-* Access to identity data on eids needed also by these other frameworks BridgeCA is complementary SAML, ICAO LDS as possible standard formats for identity data User-centric: : intergrates well with Cardspace/Higgins? Middleware-centric plays well with standards (CEN ECC, ISO 24727) LSP middleware approach