Federated Identity Management - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Federated Identity Management

Description:

authentication, authorization, accounting, provisioning, workflow automation, ... characterizes text elements in a document on appearance, function, meaning, or ... – PowerPoint PPT presentation

Number of Views:898
Avg rating:3.0/5.0
Slides: 20
Provided by: JimKurosea348
Category:

less

Transcript and Presenter's Notes

Title: Federated Identity Management


1
Federated Identity Management
  • use of common identity management scheme
  • across multiple enterprises numerous
    applications
  • supporting many thousands, even millions of users
  • elements are
  • authentication, authorization, accounting,
    provisioning, workflow automation, delegated
    administration, password synchronization,
    self-service password reset

2
http//www.federation.org.au/
3
Identity Management with attributes
4
Federated ID Management in an enterprise
environment
  • Web service scenario

5
Communication Standards Used
  • Extensible Markup Language (XML)
  • characterizes text elements in a document on
    appearance, function, meaning, or context
  • Simple Object Access Protocol (SOAP)
  • for invoking code using XML over HTTP
  • WS-Security
  • set of SOAP extensions for implementing message
    integrity and confidentiality in Web services
  • Security Assertion Markup Language (SAML)
  • XML-based language for the exchange of security
    information between online business partners
  • Next we will talk about a simple and lightweight
    federated ID management solution, called

6
What is OpenID?
  • an identity system
  • a protocol
  • not a service or company
  • Motivation of OpenID a lightweight
    authentication mechanism for online users, (e.g.,
    bloggers, etc)

An advocate of Identity 2.0 Dick Hardt
7
Design Goals
  • low barrier to entry
  • works with static HTML pages
  • no central server
  • understandable identity (a URL)
  • no new namespace
  • no public keys (key revocation, etc...)
  • no browser plugins
  • most simple protocol possible

8
What OpenID isn't...
  • a trust system
  • need identity before you can have trust
  • a solution for all identity problems
  • perfectly secure
  • DNS spoofing
  • man-in-the-middle

9
How's it work?
  • proves who you are
  • one-time assertions w/ digital signature
  • see openid.net for specs
  • not that you're a good person
  • spammers can/will/have setup OpenID servers
  • better than state of email today
  • Trust/reputation providers on their way
  • TrustRank
  • free
  • open libraries for most languages

10
Why URLs as identity?
  • usability
  • users don't understand public keys
  • users don't understand namespaces
  • users do understand URLs
  • 10 years of billboards and TV commercials
  • you can click them
  • tangible

11
Definitions in OpenID
  • Relying Party
  • RP. A Web application that wants proof that the
    end user controls an Identifier.
  • OpenID Provider or identity provider
  • OP. An OpenID Authentication server on which a
    Relying Party relies for an assertion that the
    end user controls an Identifier.
  • Identifier
  • An Identifier is a "http" or "https" URL
  • User-Supplied Identifier
  • An Identifier that was presented by the end user
    to the Relying Party, or selected by the user at
    the OpenID Provider.

12
OpenID Protocol Overview
  • The end user initiates authentication by
    presenting a User-Supplied Identifier to the
    Relying Party via their browser.
  • The user enters her URL
  • The Relying Party performs discovery on it and
    establishes the OP Endpoint URL that the end user
    uses for authentication.
  • Discovery is for the RP to find out who is the
    users identity provider and what is the URL of
    the provider

13
OpenID cond
  • 3. (optional) The Relying Party and the OP
    establish a shared secret established using
    Diffie-Hellman Key Exchange.
  • The OP uses the shared key to sign subsequent
    messages and the Relying Party to verify those
    messages

14
Diffie-Hellman key exchange with no public keys
  • The Relying Party specifies a modulus, p, and a
    generator, g.
  • The Relying Party chooses a random private key xa
    and OpenID Provider chooses a random private key
    xb, both in the range 1 .. p-1.
  • The shared secret is thus
  • g(xa xb) mod p (gxa)xb mod p (gxb)xa mod p.

15
Recall Diffie-Hellman Algorithm in a public key
setting
  • Compute a common, shared key
  • Based on discrete logarithm problem
  • Given integers n and g and prime number p,
    compute k such that n gk mod p
  • Solutions known for small p
  • Solutions computationally infeasible as p grows
    large
  • Constants prime p, integer g ? 0, 1, p1
  • Known to all participants
  • Alice chooses private key kAlice, computes public
    key KAlice gkAlice mod p
  • Bob does the same
  • To communicate with Bob, Alice computes Kshared
    KBobkAlice mod p
  • To communicate with Alice, Bob computes Kshared
    KAlicekBob mod p

16
  • What is the difference between the two
    diffie-hellman protocols?

17
OpenID contd
  • The Relying Party redirects the end user's
    browser to the OP with an OpenID authentication
    request.
  • RP asks OP is this user belonging to here?
  • The OP establishes whether the end user is
    authorized to perform OpenID Authentication.
  • User authenticates herself to OP
  • 6. The OP redirects the end user's browser back
    to the Relying Party with either an assertion
    that the authentication is approved or failed
  • 7. The Relying Party verifies the information
    received from the OP including checking the
    Return URL, verifying the discovered information,
    checking the nonce, and verifying the signature
    by using either the shared key established during
    the association

18
Security analysis
  • Adversarys goal(s)
  • Replay attacks eavesdropping and reusing
    assertions
  • Nonce
  • Man-in-the-middle attacks, DNS related attacks
    (DNS cache poisoning, etc)
  • OP should use a SSL certificate
  • Denial-of-service attacks

19
Slides credits
  • Danfeng Yao
  • William Stallings and Lawrie Brown
  • Brad Fitzpatrick
Write a Comment
User Comments (0)
About PowerShow.com