The Trusted Attribute Aggregation Service (TAAS)

Transcription

1 The Trusted Attribute Aggregation Service (TAAS) Privacy Protected Identity Management with User Consent, Minimum Dislosure and Unlinkability George Inman, David Chadwick, Kristy Siu

2 What problems does TAAS attempt to solve? More and more sensitive user information is being held online A single IdP should not be asked to hold all of a user s data: It cannot be authoritative for it all e.g. The university of Kent should not be the authoritative source for my drivers license It presents a single point of failure and a focus for attackers e.g. Certain large Japanese technology companies We therefore believe that many AA s with much smaller datasets should be used, however this presents it own set of problems: Most SP s are designed to work with a single IdP. Small data sets means that SPs need to access data at many sources throughout a session. In reality these problems (amongst others) have lead to there being a focus on authentication above authorisation: leading to poorly populated attribute sets from IdPs and either weakened security policies or the SP being required to store additional user data, credit cards etc. Page 2

3 What is TAAS An Attribute rather than authentication oriented framework for federated services. A system that allows users to link accounts at multiple AAs Individual attributes can then be requested as and when a SP requires them. An SSO system for attribute aggregation. Users are only required to authenticate to a single IdP before choosing attributes from multiple AAs Page 3

4 Live demos? E-Shopping example: E-Gov example: Did the demos Work? Page 4

5 E-Shopping example Page 5

6 Site shows it s attribute Requirements: Page 6

7 Browser Plugin asks the user for the address of her preferred TAAS: Page 7

8 TAAS acts as WAYF and asks the user to authenticate: Page 8

9 User logs in: Page 9

10 User is asked to chose her attributes: Page 10

11 User is asked to chose her attributes: Page 11

12 A user may have many Self Asserted Attributes: Page 12

13 After All attributes are chosen they can be submitted and saved: Page 13

14 Success: Page 14

15 1 click : Page 15

16 Previously chosen attributes are remembered (1 click aggregation) Page 16

17 E-Gov example Page 17

18 Site shows it s attribute Requirements: Page 18

19 Browser Plugin asks the user for the address of her preferred TAAS: Page 19

20 TAAS acts as WAYF and asks the user to authenticate: Page 20

21 User logs in: Page 21

22 User is asked to chose her attributes: Page 22

23 Note Self Asserted Attributes are not allowed by the SP: Page 23

24 User choses and submits the page: Page 24

25 Site confirms the user s attributes Page 25

26 Architecture Overview Page 26

27 Architecture Overview 1. The User attempts to access a resource at an SP. 2. The SP requests authentication and attribute data from the user. 2(a). The Browser detects that TAAS authorisation is requested and invokes the Browser Module to determine the TAAS service to use. 3. Once the user has choosen a TAAS, it is invoked by the Browser Module. 4. The TAAS finds no saved cookie and forwards the user to an IdP for authentication. 5. Authentication Occurs 5(a). Example Login Screen. 6. The IdP returns an Authentication assertion. This assertion contains no attributes and is valid throughout the federation. 7. The TAAS queries the user to select the attribute cards he wishes to use to respond to the SP's request by displaying the card selection screen (7(a)). 8/10/12. The selected card accounts (including the authenticating IdP) are queried for attributes. 9/11/13. Each IdP determines if it trusts the TAAS and authenticating IdP and returns attributes appropriately if it does (according to its local policy). 14/15. The TAAS collects the returned assertions and returns them via the user s browser to the SP s authorisation page Page 27

28 Summary of Features Uses Standard SAML V2.0 protocols for transferring claims/attributes Prevents phishing attacks since the user choses where to go for claims SP shows its attribute policy to user s prior to aggregation so the user knows what is required. TAAS redisplays SP s policy with choices for each attribute so users can selects each attribute one by one User choses and consents to all attribute releases Minimum dislosure of user attributes and unlinkablity (unless user choses linkable attributes) User can self assert attributes if the SP s policy allows it Simplifies user experience down to 1 click attribute selection and user would never have to enter credit card numbers Privacy protects the user, TAAS never sees any IdP claim values and does not know who the user is. SP is never given a persistent user identifier by any IdP Page 28

29 Questions? g.inman@kent.ac.uk Website : Page 29