Electronic ID at work: issues and perspective

Similar documents
Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

STORK PRESENTATION. STORK Overview STePS workshop, 17 June Herbert Leitold. Stork is an EU co funded project INFSO ICT PSP

Analysis of the Interoperability Possibilities of Implemented Governmental e-services EU15

STORK PRESENTATION 07/04/2009. Frank LEYMAN. Manager International Relations. Stork is an EU co-funded project INFSO-ICT-PSP

Web Based Single Sign-On and Access Control

STORK Secure Identity Across Borders Linked

On integration of academic attributes in the eidas infrastructure to support cross-border services

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

ENHANCING CROSS-BORDER EID FEDERATIONS BY USING A MODULAR AND FLEXIBLE ATTRIBUTE MAPPING SERVICE TO MEET NATIONAL LEGAL AND TECHNICAL REQUIREMENTS

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Federated Authentication with Web Services Clients

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

Introducing Shibboleth. Sebastian Rieger

Lesson 13 Securing Web Services (WS-Security, SAML)

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

eidas cross-sector interoperability

Security Assertion Markup Language (SAML) applied to AppGate XDP

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

e-sens Electronic Simple European Networked Services Klaus Vilstrup Pedersen WP6 Manager DIFI, Norway

Web Services Security: SAML Interop 1 Scenarios

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

Security Analysis of eidas The Cross-Country Authentication Scheme in Europe

Interoperability Infrastructure Services

Liberty Alliance Project

Data Privacy in the Cloud E-Government Perspective

Access Control Service Oriented Architecture

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

Authentication Context Extension

Enterprise Identity Management 101. Phillip J. Windley Brigham Young University

Security Assertions Markup Language (SAML)

eidas-node Error Codes

1. Publishable Summary

All about SAML End-to-end Tableau and OKTA integration

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Does the benefit provide me with Priority or Express boarding at the gate? No. These services are not included as part of the program.

Last Class. A Question. Federated Identity. ID Avalanche. Problem in general SPKI/SDSI. Lecture 6 : Digital Identity Federation and Privacy Management

esignature Infrastructure Marketing Model

Single Sign-On User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

extensible Access Control Language (XACML)

Authentication. Katarina

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

EU e-marketing requirements

Obligation Standardization

Configuration Guide - Single-Sign On for OneDesk

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SAML V2.0 Profile for Token Correlation

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

e SENS Pilots of eid, esignatures and Trusted Services

Integrating Identity Management Aspirations and Issues

eid edocs the next possible steps Interoperability BE-AT-NL-PT

i-ready Support for Single Sign-On (SSO)

eidas Regulation eid and assurance levels Outcome of eias study

Configure Unsanctioned Device Access Control

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

BoR (10) 13. BEREC report on Alternative Retail Voice and SMS Roaming Tariffs and Retail Data Roaming Tariffs

Kerberos SAML Profiles

UJI-ESURVEY SERVICE TESING MANUAL

CEN TC 224 WG15. European Citizen Card. Brussels May 10th CEN/TC 224 WG15 European Citizen Card

Warm Up to Identity Protocol Soup

Trusted National Identity Schemes. Coralie MESNARD

ArcGIS Server and Portal for ArcGIS An Introduction to Security

This document is a preview generated by EVS

[GSoC Proposal] Securing Airavata API

SECURED SECurity at the network EDge

This document is a preview generated by EVS

e-sens Electronic Simple European Networked Services

Single Sign-On (SSO) Using SAML

Establishing Trust Across International Communities

Configuring Confluence

GLOBUS TOOLKIT SECURITY

A privacy-preserving authentication service using mobile devices

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

SAML-Based SSO Solution

Italian Student Visa Packet

BoR (11) 08. BEREC Report on Alternative Voice and SMS Retail Roaming Tariffs and Retail Data Roaming Tariffs

TLS-Federation. Dr. Bud P. Bruegger. Dr. Detlef HühnleinH. Prof. Guido Marinelli. U.Rome Tor Vergata (Italy) Comune di Grosseto (Italy)

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Identity and capability management and federation

Gateway Certification Authority pilot project

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

10 minutes, 10 slides, goals, tech details and why it matters. Decentralized ID & Verifiable Claims

SAML-Based SSO Solution

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

GDPR General Data Protection Regulation

Morningstar ByAllAccounts SAML Connectivity Guide

OIOSAML Basic Privilege Profile. Version 1.0.1

Generic Structure of the Treatment Relationship Assertion

eidas Interoperability Architecture Version November 2015

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Securing the New Perimeter:

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Evolution in cross-border interoperability of esignatures and eid. Tarvi Martens SK, Estonia

Joining forces to fight botnets. Dan Tofan Head of the Technical Division CERT-RO 17/02/2014

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Transcription:

Electronic ID at work: issues and perspective Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica

Why should I have/use an (e-) ID? to prove my identity to an "authority": e.g. crossing borders being an Italian citizen, I'm allowed to freely travel across EU and some foreign countries, while other countries require an entry visa identity not really important, rather being Italian to prove "ownership" of something: (access control) a credit card, a mail account,... non necessarily my "real" identity (data origin) an e-document, a song,... to have my actions being tracked (!!!) e.g. in Italy no anonymous Internet access difficult balance between privacy and lawful investigation

(peer) authentication: Electronic Identification submit credential (e.g. username) to access control point pass an associated verification (e.g. password) (data) authentication: several electronic ways (e-signature, TTP, ) not today's' topic attributes: of the authenticated peer some basic data openly available (e.g. name and surname) other data available on explicit consent (e.g. religion)

Identity and service providers identity provider ( IDP ) 3. do authenticate! 4.1 yes, he's Lioy 4.2 role = professor user 2.1 is this Lioy? 2.2 what's his role? 1. I'm Lioy / POLITO service provider ( SP )

What is XACML? extensible Access Control Markup Language an OASIS standard based on a XML syntax a language to describe an authorization policy, defined in terms of: subject (user, computer, service) resource (document, file, data) identified by a URI a language to manage policy-based access control: data format to express the request and response to be carried inside one of many client-server protocols

Components for policy-based access control PEP = Policy Enforcement Point front-end to a protected resource that permits access only after checking compatibility with access policy PDP = Policy Decision Point collects all relevant information (policy, subject, resource, access type, context) to decide if access is allowed or denied PIP = Policy Information Point provides auxiliary information related to the access request PAP = Policy Access Point provides the relevant policy for the access request

T Subject PIP 1. S, O, T 9. authorized/denied 4. context info 7. XACML response 8. response PEP context handler 5. XACML request 3. request??? policy repository 0. policy creation Object PDP 6. retrieve policy PAP

reusable password simple but highly risky Authentication non-repudiation impossible one-time password hw support needed but much less risky non-repudiation impossible asymmetric key (~ digital signature) smart-card needed (+pin) but highly secure non-repudiation possible with standard protocols (e.g. SSL client authentication available in all browsers) with custom protocols (customized sw needed at the local node connected to the smart-card)

The STORK project European PSP project (NOT a research project!) e-id interoperability purpose demonstrate the use of existing national e-id for use with pan-european electronic services funding 20 M Euro duration June 2008 June 2011 coordinator ATOS Origin

The STORK partners Austria Belgium Estonia France Germany Italy Luxembourg Netherlands Portugal Slovenia Spain Sweden United Kingdom Plus Iceland addition of other countries under negotiation

STORK pilot projects P1) cross-border e-services between various national, regional portals P2) platform for safer chat for minors P3) electronic services to students attending an university abroad (e.g. ERASMUS) P4) cross-border secure online delivery of documents P5) change of address across EU countries common architecture for Internet-based services to allow re-use of national e-id outside the origin country

problems: Security in STORK nearly every EU country has a different e-id schema solutions: password, smart-card (w or w/o local software or portal) different format / functionality of smart-cards PEPS (Pan-European Proxy Service) EU middleware (for some smart-card-based e-ids) "trust levels" some services require a certain security level not provided by every e-id

Conceptual interop. model: PEPS-PEPS IT APs UK APs 12. retrieve data 13. Signed ID 11. Signed ID IT PEPS 5. Someone wants to use a UK ID with POLITO UK PEPS 8. check this user's credential UK IDP 14. Signed ID 2. Identify this user 3. How do you want to authenticate? 4. I'd like to use my UK ID 6. POLITO wants these data 7. permit transmission of these data 9. UK-id? pwd? IT SP POLITO 1. I want to enrol 10. here they are!

Conceptual interop. model: PEPS-PEPS trust between PEPSes, PEPS-AP & PEPS-IDP required trust between PEPS - SP depend on model: UK vs BE: UK model: PEPS/DirectGov determines max attributes of each SP effort for inclusion of new SPs BE model: risk of DoS, as there s no limitation on requests no inclusion of SPs

Conceptual interop. model: PEPS-MW IT APs 10. Signed ID 9. cert OK IT PEPS 11. Signed ID 2. Identify this user 5. Someone wants to use an Austrian ID with POLITO 3. How do you want to authenticate? V-IDP 4. I'd like to use my Austrian ID AT SPware 6. POLITO wants these data AT MW 7. Burgerkarte 8. check this AT cert AT IDP* IT SP POLITO 1. Please show the results of my exams

Conceptual interop. model: PEPS-MW MW is activated by AT-SPware installed in V-IDP V-IDP also includes DE-SPware PEPS can collect more data items from AP, neither MW nor SPware will do so

What about standards? standards... they are nice because you have so many to choose from!... and each standard has so many options to choose from! Stork will to exploit widely adopted standards SAML 2.0 is one of them

e-ids are already here interoperability is possible Conclusions user attributes (semantically meaningful) are the real challenge

What is SAML? Security Assertion Markup Language an OASIS standard based on a XML syntax a data format to express: several types of assertion assertion requests assertion responses ASSERTION is the base SAML object the main purpose of SAML is to standardize and simplify the interactions needed to establish permissions in a multidomain distributed system

an assertion is: SAML assertion a declaration about a fact related to a subject (e.g. the role of a user) declaration provided by a certain issuer three basic assertion types: authentication attribute di authorization decision can be extended to add other assertion types the assertion may be digitally signed (via xml-dsig)

Infos common to all SAML assertions issuer and issuance timestamp assertion ID subject ID and its security domain validity "conditions" SAML clients must reject assertions containing unknown conditions an important condition: assertion validity period other useful infos e.g. explanation / proof of the ground for the assertion

Example of authentication assertion <saml:assertion MajorVersion="1" MinorVersion="0" AssertionID="192.168.1.1.12345678" Issuer="Politecnico di Torino" IssueInstant="2007-12-03T10:02:00Z"> <saml:conditions NotBefore="2007-12-03T10:00:00Z" NotAfter="2007-12-03T10:05:00Z" /> <saml:authenticationstatement AuthenticationMethod="password" AuthenticationInstant="2007-12-03T10:02:00Z"> <saml:subject> <saml:nameidentifier SecurityDomain="polito.it" Name="alioy" /> </saml:subject> </saml:authenticationstatement> </saml:assertion>

Example of attribute assertion <saml:assertion...> <saml:conditions.../> <saml:attributestatement> <saml:subject> <saml:nameidentifier SecurityDomain="polito.it" Name="alioy" /> </saml:subject> <saml:attribute AttributeName="Role" AttributeNamespace="http://polito.it"> <saml:attributevalue> Full Professor </saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion>

SAML: producer-consumer model Policy Policy Policy Credentials Collector Authentication Authority Attribute Authority Policy Decision Point SAML Authentication Assertion Attribute Assertion Authorization Decision Assertion System Entity Application Request Policy Enforcement Point

SAML SSO for Google Apps a company (partner) activates its own application at Google hence, Google = service provider the partner wants to keep control of the authentication and authorization part hence, partner = identity provider the access procedure is based upon SAML-2.0 with XML-sig

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback