Jim Fenton Identity Systems
Jim Fenton
Identity Systems
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 2
“Defining identity is like nailing Jell-O® to the wall.”
– Source Uncertain
Flickr photo by stevendepolo
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 3 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 3
Terminology
Subject The person (usually) whose identity is involved Sometimes called the User
Relying Party The entity the Subject is interacting with Sometimes called the Service Provider
Attribute A piece of information about the Subject Sometimes called a Claim
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 4 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 4
A Basic Identity System
Identity Provider
Government
Commerce
Social Media
Authentication Request
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 5 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 5
A Basic Identity System
Identity Provider
Government
Commerce
Social Media
User Authentication
User Credentials
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 6 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 6
A Basic Identity System
Identity Provider
Government
Commerce
Social Media
Authorize Info Release
Attribute Request/ Response
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 7 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 7
Elements of Identity Management
Percent
Authentication Establish who the Subject is
Credential Management Prove to Relying Parties
who the Subject is
Attribute Management Provide information about
the Subject
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 8 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 8
User Trust
User trust in their Identity Provider is fundamental Not all users trust any one entity Most likely to trust entities they do business with and strong, trusted brands Different trusted entities in different cultures
An ecosystem of identity providers is required Users need to choose their own identity provider Need to consider ability to migrate to a different provider if required
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 9 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 9
Authentication
Flic
kr p
hoto
by
shan
nonp
atric
k17
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 10 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 10
Authentication Methods
Methods useful for user authentication are situation-specific
Type of endpoint being used Required authentication strength (transaction value, etc.)
Problem: Many existing identity systems are bound tightly to specific authentication methods
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 11 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 11
Authentication Strength
Authentication strength should depend on transaction value
iTunes purchase (99 cents) vs. vehicle purchase
NIST Special Pub 800-63 defines 4 levels: Level 1: Minimal challenge/response Level 2: Single-factor identity proofing Level 3: Multi-factor identity proofing Level 4: Hardened multi-factor
Relying party specifies the required strength to the identity management system
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 12 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 12
Authentication Endpoint Diversity
The Web is pervasive, but not everything is a browser
Examples Vending Machines Set-top boxes Doors (physical security)
Modular approaches to authentication needed to consider a wide range of use cases
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 13 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 13
Security Opportunities
Users that authenticate frequently at a given service are more likely to detect anomalies
More likely to be suspicious about, for example, lack of a certificate Browsers can be configured to specially flag “chosen” identity providers
Identity providers can detect anomalous user behavior
Similar to detection of fraudulent credit card transactions Business/policy framework should encourage this
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 14 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 14
Credential Management
Imagery supplied by Photodisc/Getty Images
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 15 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 15
Credential Management: Functions
Act as a “key cabinet” for the user Each relying party has its own credentials
Support Directed Identity Prevent undesired release of correlation handles Identifiers to Relying Parties are opaque by default
Enforce secure use of credentials Require use of secure channel (e.g., SSL)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 16 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 16
Directed Identity
It should not necessarily be possible for different Relying Parties to correlate identifiers
Insurance company vs. supermarket account Pseudonymous identifiers for tip hotlines
Users may still choose to link relying parties’ identifiers
Attributes may also provide correlation handles
Credential manager can be subpoenaed if appropriate
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 17 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 17
Security and Availability Issues
Security The credential store is a very high-value target Credentials can be distributed to diffuse attack High-level physical security is also required
Availability Failure of an Identity Manager may have severe impact on its Subjects Solvable problem, but needs to be addressed
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 18 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 18
Attribute Management
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 19 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 19
Distributed Attributes
Self-asserted attributes have limited utility
Authoritative sources for different attributes come from different places
FICO scores from a credit bureau Driving record from state Motor Vehicle Department Proof of employment from employer
Identity system has a role in locating trustable sources of attributes
Attributes delivered as signed assertions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 20 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 20
Attribute Distribution: Example
Identity Provider
“Is subject 21?” Request Authorization Request
Healthcare Provider
Motor Vehicle Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 21 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 21
Attribute Distribution: Example
Identity Provider
Trust Negotiation Release Authorization
Healthcare Provider
Motor Vehicle Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 22 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 22
Attribute Distribution: Example
Identity Provider
“Is subject 21?” Request
Healthcare Provider
Motor Vehicle Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 23 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 23
Attribute Distribution: Example
Identity Provider
“Subject is 21 or over” –DMV
Healthcare Provider
Motor Vehicle Department
Wine Merchant
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 24 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 24
Attribute Trust
Federation: Prearranged trust relationships Personnel Security Clearances among Federal agencies Business partners
Accreditation: Indirect federation Financial institutions, schools Scales much better than direct federation
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 25 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 25
Identity Provider Trust
Identity Provider has a fiduciary responsibility
To the Subject: Must use credentials only for the proper Subject
To Relying Parties: Must associate attribute requests and responses reliably
Identity Provider may coincidentally function as an Attribute Provider
Functions should be considered separate to maintain privacy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 26 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 26
Summary
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 27 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Fenton 091120 27
Observations
Scaling is critical Technical (protocol) aspects of scaling are a solved problem Scaling of trust relationships is the real limitation
Chosen technologies need to consider a very wide range of use cases
An ecosystem of identity and attribute providers is needed
Need business models for these functions Public policy should encourage constructive behavior and help these entities manage liability exposure