Prof. Christos Xenakis

Similar documents
Prof. Christos Xenakis

Research Activities in the Area of Privacy

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

A privacy-preserving authentication service using mobile devices

From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Dissecting NIST Digital Identity Guidelines

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Lecture 41 Blockchain in Government III (Digital Identity)

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

IRMA: I Reveal My Attributes

Information Sharing and User Privacy in the Third-party Identity Management Landscape

More than just being signed-in or signed-out. Parul Jain, Architect,

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

The EGI AAI CheckIn Service

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Privacy with attribute-based credentials ABC4Trust Project. Fatbardh Veseli

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

SOFTWARE DEMONSTRATION

Mobile Device Management

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

New Paradigms of Digital Identity:

Do I Really Need Another Account? External Identities for Campus Applications

Warm Up to Identity Protocol Soup

Who What Why

A NEW MODEL FOR AUTHENTICATION

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

CS November 2018

Access Management Handbook

OpenID: From Geek to Chic. Greg Keegstra OpenID Summit Tokyo Dec 1, 2011

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

FIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018

10 minutes, 10 slides, goals, tech details and why it matters. Decentralized ID & Verifiable Claims

Next Gen Security Technologies for Healthcare Authentication

Markus Jakobsson Elaine Shi Philippe Golle Richard Chow (Palo Alto Research Center) Thanks to Yuan Niu (UC Davis)

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

Cryptographic dimensions of Privacy

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

Tablet Setup New Google Account

GÉANT Community Programme

WSO2 Identity Management

Authentication Work stream FIGI Security Infrastructure and Trust Working Group. Abbie Barbir, Chair

Authentication in the Cloud. Stefan Seelmann

From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Trust Services for Electronic Transactions

ADOPTING FIDO SearchSecurity

Technical Overview. Version March 2018 Author: Vittorio Bertola

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Authentication Technology for a Smart eid Infrastructure.

FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR. All Rights Reserved FIDO Alliance Copyright 2017

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Mobile: Purely a Powerful Platform; Or Panacea?

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

5 OAuth EssEntiAls for APi AccEss control layer7.com

Odyssey Entertainment Marketing, LLC Privacy Policy

lifeid Foundation FAQ v.1

TAKING THE MODULAR VIEW

Table of Contents. Blog and Personal Web Site Policy

EMERGING TRENDS AROUND AUTHENTICATION

Humanistic Multi-Factor Authentication (MFA) Why We Don't Use MFA

Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Security and Privacy in the Internet of Things : Antonio F. Skarmeta

GUESTBOOK REWARDS, INC. Privacy Policy

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Lecture 3 - Passwords and Authentication

The challenges of (non-)openness:

Web Authentication using Third-parties in Untrusted Environments

Google Identity Services for work

Tolbert Family SPADE Foundation Privacy Policy

USE CASES. See how Polygon s Biometrid can be used in different usage settings

Adobe Sign and 21 CFR Part 11

TRUST ELEVATION WITH SAFELAYER TRUSTEDX. David Ruana, Helena Pujol 14Q4

Signer Authentication

Mobile Devices prioritize User Experience

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Privacy Policy. Optimizely, Inc. 1. Information We Collect

Cisco Desktop Collaboration Experience DX650 Security Overview

How Next Generation Trusted Identities Can Help Transform Your Business

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Citizen Biometric Authentication based on e-document verification. e-government perspective. Mindshare Ruslans Arzaniks Head of Development

Identity, Authentication and Authorization. John Slankas

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

Safelayer's Adaptive Authentication: Increased security through context information

Gaining Business Value from IoT

Mobile Connect Driving Global Economic Growth Through Secure Mobile Identity

Computers and Security

PRISMACLOUD. Privacy and Security Maintaining Services in the Cloud Thomas Loruenser. CSP2015 Brussels /

Middleware, Ten Years In: Vapority into Reality into Virtuality

Business value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites

Transcription:

From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control Device-Centric Authentication for Future Internet Prof. Christos Xenakis SAINT Workshop Athens, 20 March 2018 Co-funded by the Horizon H2020 Framework Programme of the European Union under grant agreement no 653417.

ReCRED Project Consortium Project funded by EU under H2020 Call Identifier: H2020-DS2-2014-1 SAINT Workshop, 20 March 2018 2

ReCRED s goal To promote the user s personal mobile device to the role of a unified authentication and authorization proxy towards the digital world Problems addressed by ReCRED SAINT Workshop, 20 March 2018 3

SAINT Workshop, 20 March 2018 4

ReCRED s Innovation It allows mobile devices that users habitually use and carry to manage all access control needs It is aligned with current technological trends and capabilities. Integrates existing as well upcoming techniques of : Authentication Identity management Access Control Privacy protection Trusted computing SAINT Workshop, 20 March 2018 5

New Digital Landscape Nowadays e-commerce now exceeds 1 trillion per annum Internet of Things becomes a reality Digital economy & digital life require for reliable and user-friendly authentication mechanisms Currently, user authentication relies on passwords, a technology of the 60s 98% of the websites use password-based authentication SAINT Workshop, 20 March 2018 6

Problem 1: What happens with Passwords? Users have the tendency to choose weak & easy-to-remember passwords Therefore, passwords are easy-to-guess and highly insecure Passwords are highly reused by users The security requirements of critical services, such as e-banking, are not satisfied by ordinary passwords, which can be easily stolen or bypassed Regarding passwords usability: 70% of users forget their password once in a month! Users tend to try on average 2.4 passwords before they type the right one! SAINT Workshop, 20 March 2018 7

Questions arise regarding authentication Can I login without using passwords, easily and securely Fast IDentity Online (FIDO) Device Centric authentication By using strong asymmetric cryptography, transparently to end users FIDO members Google, Paypal, Microsoft, Visa, Samsung, Intel, American Express, Bank of America, etc. Asymmetric Cryptography SAINT Workshop, 20 March 2018 8

FIDO UAF provide several advantages!! It offers strong authentication based on public key cryptography It simplifies both registration and authentication There is no need for maintaining passwords Dealing with complex password rules Going through password recovery It enhances users privacy since all identifying info is stored locally But the UAF protocol relies on the assumption that the UAF authenticator & UAF client are trusted and cannot be tampered SAINT Workshop, 20 March 2018 9

Wait a minute!!! My mobile device is the gateway to my digital life What If my mobile device is: Compromised Stolen Broken Lost Replaced SAINT Workshop, 20 March 2018 10

Behavioral Authentication Within ReCRED, we have developed four different types of behavioral authentications: Key stroke Browsing habits Mobility Gait Latch for account locking SAINT Workshop, 20 March 2018 11

Problem 2: Identity Fragmentation Online Accounts Today's Internet users are registered in too many online services Email (Gmail, Yahoo), social media (Facebook, Twitter, LinkedIn), e-banking, corporate applications, cloud providers (dropbox, office 365). Each one use a different authentication method & authentication credentials Questions arise: Can I consolidate & manage securely all these identities & accounts, from a single device Can I control my privacy & give my consent for using my personal data (GDPR) Can I link my online accounts e.g., facebook with google Can I link an online account with my physical identity e.g., e-bay to sell my laptop SAINT Workshop, 20 March 2018 12

FIDO Federated authentication - OpenID Connect OpenID Connect (federated authentication) delegates authentication Online services authenticate their users by employing Google, Microsoft, Twitter, LinkedIn accounts, etc. OAuth 2.0 (Open standard for Authorization) Issues and uses access tokens to be used for authorization User: less passwords to remember Service providers: no need for password maintenance ReCRED s approach = Fido+(OpenID Connect/OAuth2.0)+BAA Client (App) Identity Provider End User SAINT Workshop, 20 March 2018 13

Identity consolidation & management Identity Consolidator is the central entity of ReCRED It is a identity provider (idp), that acts a trusted third party and provides users authentication Manages all access control needs of the users and supports federated authentication Using my UNIPI account, gmail account, BAA, Vodafon subscription, etc. It issues and verifies cryptographic credentials (we will talk about this later on ) Performs fail-over recovery (in case of lost or damaged devices) It horizontally binds the online identities of a users Collects identity attributes from various IdPs upon user s request Enable users to control the level of privacy on their personal data For data usage, users consent is required SAINT Workshop, 20 March 2018 14

Device Centric Authentication - DCA Service Provider Identity Consolidator Identity Providers FIDO Asymmetric Cryptography OpenID Connect A second factor authentication is also required Fail-over recovery Behavioral Authentication Authorities Mobile Network Operator SAINT Workshop, 20 March 2018 15

Problem 3 : I want Anonymity But, OpenID Connect does not provide any anonymity!! I want to have access to an online bookstore that has a discount if I have the specific attributes or properties: I am over 22 I am a student I am EU citizen I want to ensure my anonymity controlling my privacy I do not want to reveal any additional personal information SAINT Workshop, 20 March 2018 16

Privacy Preserving Attribute-Based Access Control (P-ABAC) Privacy preserving Attribute-based Access Control - Anonymous Credentials Authentication with pseudonyms Account-less access through verified identity attributes Age, Location, Affiliation, etc. Reveal to services only the minimum identity information that is needed Two implementations Idemix by IBM U-Prove by Microsoft Advanced cryptography Zero knowledge, & blind signatures SAINT Workshop, 20 March 2018 17

How P-ABAC works? (I) User Service Provider SAINT Workshop, 20 March 2018 18

How P-ABAC works? (II) User Service Provider 1. John Doe 2. 12345678 1. What is your name? 2. What is your password? SAINT Workshop, 20 March 2018 19

How P-ABAC works? (III) User Service Provider 1. John Doe 2. 12345678 3. 6/7/1990 4. john.doe@uniroma2.it 5. Id Nr: AB12345CD 6.... 1. What is your name? 2. What is your password? 3. Are you over 22? 4. Are you a student? 5. Are you EU citizen? 6.... SAINT Workshop, 20 March 2018 20

How P-ABAC works? (IV) User Service Provider John Doe 12345678 1. 6/7/1990 2. john.doe@uniroma2.it 3. Id Nr: AB12345CD 4.... What is your name? What is your password? 1. Are you over 22? 2. Are you a student? 3. Are you EU citizen? 4.... SAINT Workshop, 20 March 2018 21

How P-ABAC works? (V) Identity Provider Service Provider User 1. Are you over 22? 2. Are you a student? 3. Are you EU citizen? 4.... 1. 6/7/1990 2. john.doe@uniroma2.it 3. Id Nr: AB12345CD 4.... 1. Over 22 2. Student @ Uniroma2 3. EU passport 4.... SAINT Workshop, 20 March 2018 22

ReCRED s Innovation Standardized and secure authentication using FIDO FIDO protocol implementation Multifactor & easy to use password-less authentication Both biometrics and behavioral authentication Security-by-design by employing the crypto functions and secure storage of TEE Implementation of secure world applications with C programming language Identity Consolidator as a trusted registry which offers Identity federation & management, user consent, as well as reliable failure recovery Privacy-by-design of online identities using anonymous credentials Idemix and U-Prove implementation Attribute-based Access Control policies SAINT Workshop, 20 March 2018 23

Business Cases Campus Wi-Fi and Campus-restricted Web Services SAINT Workshop, 20 March 2018 24

Reference Architecture SAINT Workshop, 20 March 2018 25

Google Trust API (Abacus) Multi-Modal Continuous Authentication System Captured attributes Typing patterns Browsing habits Location Face recognition Walking habits Speech recognition Touch dynamics Calculates trust score according to captured attributes SAINT Workshop, 20 March 2018 26

ReCRED vs Google Trust API Behavioral profiles are stored on BAA Extra layer of security Behavioral attributes are captured either by the user s device the BAA Account-wide lockdown Device-wide lockdown SAINT Workshop, 20 March 2018 27

Paypal s FIDO + OpenID integration Users authentication with FIDO UAF Extended OpenID Connect in order to Maintain an authentication token for persistent sign-in No need for re-authentication Purchases from multiple apps with one authentication Integrated with Lenovo, Samsung devices as of 2017 No source code released, just a 4-page documentation SAINT Workshop, 20 March 2018 28

ReCRED s pilots Pilot 1: Device-centric campus WiFi and web services access control Pilot 2: Student authentication and offers Pilot 3: Attributebased age verification online gateway Pilot 4: Financial services microloan origination Professor Professor Proof Professor Proof CUT WiFi area Pilot 1 Pilot 2 Student Discount Student Proof Pilot 3 Trusted Government Authority Financial Institution A Pilot 4 Student Proof Student Proof UC3M WiFi area Discounted Transaction 18+ Age Proof Financial Status Proof Student Student Proof Access Age Gateway Loan Origination Financial Institution B SAINT Workshop, 20 March 2018 29

Christos Xenakis Systems Security Laboratory Department of Digital Systems http://ssl.ds.unipi.gr/ http://cgi.di.uoa.gr/~xenakis/ email: xenakis@unipi.gr Thank you https://www.youtube.com/channel/uclvzn8b6g_ve3dxzv1sli0g https://www.facebook.com/recredh2020/ https://www.linkedin.com/groups/8470632 https://twitter.com/recred_h2020 SAINT Workshop, 20 March 2018 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback