Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent

Similar documents
The Trusted Attribute Aggregation Service (TAAS)

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Multi-Factor Authentication (MFA) Interoperability Profile. Karen Herrington, Virginia Tech David Walker, Internet2 September 26, 2016

Extending Services with Federated Identity Management

Dissecting NIST Digital Identity Guidelines

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

U.S. E-Authentication Interoperability Lab Engineer

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

SAML-Based SSO Solution

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

Canadian Access Federation: Trust Assertion Document (TAD)

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Canadian Access Federation: Trust Assertion Document (TAD)

Interagency Advisory Board Meeting Agenda, August 25, 2009

The EGI AAI CheckIn Service

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Identity Assurance Onboarding

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Morningstar ByAllAccounts SAML Connectivity Guide

Potentials and Areas of Application of the Windows CardSpace Technology

SWAMID Identity Assurance Level 2 Profile

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Canadian Access Federation: Trust Assertion Document (TAD)

SAML-Based SSO Solution

Web Security Model and Applications

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Technical Overview. Version March 2018 Author: Vittorio Bertola

Prof. Christos Xenakis

Prof. Christos Xenakis

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES (POP)

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

InCommon Federation: Participant Operational Practices

Canadian Access Federation: Trust Assertion Document (TAD)

Your Auth is open! Oversharing with OpenAuth & SAML

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Next Gen Security Technologies for Healthcare Authentication

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

National Strategy for Trusted Identities in Cyberspace

ArcGIS Server and Portal for ArcGIS An Introduction to Security

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Warm Up to Identity Protocol Soup

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

David Simonsen, Jacob-Steen Madsen, Mads Freek Petersen, Jacob Christiansen WAYF login 1

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Quick Start Guide for Drivers

Liferay Security Features Overview. How Liferay Approaches Security

System Administrator s Guide Login. Updated: May 2018 Version: 2.4

Trust Services for Electronic Transactions

SAML Single Sign On Integration

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

AAI in EGI Current status

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate

[GSoC Proposal] Securing Airavata API

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Canadian Access Federation: Trust Assertion Document (TAD)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

FileSpace An Alternative to CardSpace that supports Multiple Token Authorisation and Portability Between Devices

Canadian Access Federation: Trust Assertion Document (TAD)

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

Network Security Essentials

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

INDIGO AAI An overview and status update!

U-Prove Technology Overview

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Canadian Access Federation: Trust Assertion Document (TAD)

Information Sharing and User Privacy in the Third-party Identity Management Landscape

Canadian Access Federation: Trust Assertion Document (TAD)

South Hams Motor Club Our Privacy Policy. How do we collect information from you? What type of information is collected from you?

Managed Access Gateway. User Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Oman Research & Education Network (OMREN)

Canadian Access Federation: Trust Assertion Document (TAD)

Transcription:

Facilitating the Attribute Economy David W Chadwick George Inman, Kristy Siu University of Kent 2011 University of Kent Internet 2 Fall 2011 Member Meeting 1

(Some) Attribute AuthzRequirements Attributes are personal information so need to be protected in line with Data Protection Legislation Users must have complete control and visibility over the release of their attributes to SPs, and must provide consent for them to be released by the IdPs SPs should inform users which attributes they need at the time authorisation is needed Users should be able to choose which of their attributes they wish to release from which of their IDPs, in order to fulfil the SP s policy Minimal disclosure should be observed so that only the attributes essential for the task in hand should be requested and consented to SPs should state which attributes are mandatory and which are optional for a protected resource at the time it is being accessed SPs should be able to alter their attribute requirements in a single session as the user moves between protected resources Different SPs require different levels of assurance for different attributes to access different resources Users should be able to submit self-asserted attributes as well as IdPasserted attributes, when the SP s policy allows this Users have multiple attributes from multiple IdPs, so should be able to aggregate attributes from multiple IdPs in a single session Users should be able to save their choices to speed up subsequent transactions The system should remove phishing attacks for a user s login credentials 2011 University of Kent Internet 2 Fall 2011 Member Meeting 2

Attribute Aggregation The process of obtaining attribute assertions from different attribute authorities, within a single session, to prove to the service provider that the service requestor is the rightful subject of all of the assertions The user should only need to authenticate once during the session (to either the service provider or one of the attribute authorities) and trust relationships should be sufficient for the other parties to confirm who the user is, otherwise it becomes very cumbersome to the user (as with Visa 3D secure!) 2011 University of Kent Internet 2 Fall 2011 Member Meeting 3

Level of Assurance Two aspects to this (from NIST 800-63-1) Registration procedure and Login process You can have strong one and weak the other E.g. Twitter has a RegLoA1 and Login LoA0 Google has RegLoAand Login LoAof 1 University of Kent has RegLoA4 and Login LoA2 Ideally both of these are needed by relying parties, if users are to switch authncredentials mid session 2011 University of Kent Internet 2 Fall 2011 Member Meeting 4

Our Proposal To add an attribute authorisation layer above the existing Shibboleth layer Purpose: to provide user attribute aggregation, selection and consent at multiple points during a session with a SP, as the user accesses different protected resource requiring different permissions (attributes and LoAs) 2011 University of Kent Internet 2 Fall 2011 Member Meeting 5

Attribute Aggregation Layer (TAAS, Idemix etc) IdP Aggregator IdP Client SP IdP Federated Layer (SAML, OpenID etc.) Client IdP SP Authentication Layer (UN-PW, PKI etc) Client Server Peer Peer Connectivity Layer (TCP-IP) 2011 University of Kent Internet 2 Fall 2011 Member Meeting 6

Technically Speaking The service provider should receive digitally signed attribute assertions from multiple attribute authorities which All belong to the same end user Only release the attributes the user consents to release Give assurance that the person at the other end of the Internet is this end user (and is not a dog) Without requiring the user to have to login to each of the attribute authorities We propose a Trusted Attribute Aggregation Service for this, which is under the control of the user 2011 University of Kent Internet 2 Fall 2011 Member Meeting 7

Live Demo of TAAS The live demo is publicly accessible and is available from here http://sec.cs.kent.ac.uk/demos Select demo 5, Trusted Attribute Aggregation Service There are 3 demos available: e-government, buying a car parking permit e-business, online shopping for books e-learning, downloading a peer-reviewed paper 2011 University of Kent Internet 2 Fall 2011 Member Meeting 8

Users are shown which attributes they have to provide User clicks on TAAS icon 2011 University of Kent Internet 2 Fall 2011 Member Meeting 9

User is asked to select his/her aggregation service Users can click on a bookmarked URL (e.g. stored on their own PC) Or enter a new URL (e.g. if in Internet café) 2011 University of Kent Internet 2 Fall 2011 Member Meeting 10

TAAS now asks user to select an IdPfor authn 2011 University of Kent Internet 2 Fall 2011 Member Meeting 11

TAAS filters user s available attribute types against SP s policy 2011 University of Kent Internet 2 Fall 2011 Member Meeting 12

Allowing user to select which values he/she wants to use 2011 University of Kent Internet 2 Fall 2011 Member Meeting 13

After completing selection, user submits to SP User can choose to save selection for next time If user selects this, the saved selection or submit without saving will always be used in future without showing this screen to the user again 2011 University of Kent Internet 2 Fall 2011 Member Meeting 14

SP confirms to the user all the actual aggregated attribute values it received from the IdPs 2011 University of Kent Internet 2 Fall 2011 Member Meeting 15

TAAS Discovery TAAS Protocol Flow Credit Card IdP 8. 9. 4. 6. 3. 8. Self Asserted 9. Idp Service Provider DWP IdP DVLA IdP 2011 University of Kent Internet 2 Fall 2011 Member Meeting 16

Summary of Usability Features Allows SP to display/set its policy for both the LoAand its mandatory and optional attributes, so users know what is required from them Allows user to select attributes from multiple IdPsas well as his own provided values (if SP s policy allows it) TAAS automatically filters SP s policy against user s attributes and does not show ones that don t match TAAS allows users to dynamically add new attributes and links to IDP attributes in the middle of a transaction Allows user to add his own attribute types and values Allows user mobility and use from Internet cafes TAAS will remember a user s choices so they don t have to Users never need to enter credit card numbers again 2011 University of Kent Internet 2 Fall 2011 Member Meeting 17

Summary of Security/Privacy Features Built on top of Shibboleth so inherits its security and privacy features Ensures users consent to each attribute release TAAS does not know who the user is It only gets PIDs from IDPs and user self asserted attributes (if any) TAAS never sees any IDP provided attribute values They are encrypted end to end from IDP to SP TAAS stops phishing attacks by evil SPs and evil emails Users provides their own URLs of their own TAASs TAAS stops all storage and theft of credit card numbers from SP sites Users never enter their credit card numbers. Card Issuer sends one time encrypted value to the SP for use in current transaction The SP receives digitally signed assertions from each IdP, each asserting different attributes for the same user (identified by a Random ID) Uses standard protocols throughout (SAMLv2, LA ID-WSF EPRs) Requires trust between various components Provides very similar functionality to U-Prove and Idemixtokens, but with today s technologies. 2011 University of Kent Internet 2 Fall 2011 Member Meeting 18

Trust Requirements SP must trust authenticating IDP to authenticate user correctly SP must trust IDPs for attributes they issue IDPs must trust authenticating IDP to authenticate user correctly SPs and IDPs must trust TAAS not to mix up user PIDs and to only release PIDs back to their issuing IDPs 2011 University of Kent Internet 2 Fall 2011 Member Meeting 19

Conclusions Leveraging Trust reduces the cost of doing business We introduce a Trusted Attribute Aggregation Service that facilitates trust between users, SPs and IDPs and allows attribute aggregation, user consent and user choice over which attributes to release The standardisation activities that are still required are The content of the SP s policy The profiles for use of SAMLv2, LA and HTTP/post protocols 2011 University of Kent Internet 2 Fall 2011 Member Meeting 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback