Learning Center
Plans & pricing Sign in
Sign Out

Federated Identity A



          presented by
Patrick Burke and Christian Loza

   The Internet has changed the way we do
    business forever.
   In the cyberspace, our Identity has changed
    too, and a Digital Identity has emerged.
   Identity can be defined as a set of
    characteristics that uniquely identifies us (or a
    digital entity)[1].

        Identity: Set of characteristics that identifies a
         given entity.
        Identification: Recognizing someone as a
         specific individual.
        Authentication: Process to make sure the
         Identification is valid.
        Authorization: Set of resources given to a
         certain entity, based on the identity.

   In the physical world,       In the Internet, users
    users can be identified       are identified by set’s
    by physical                   of information, such as
    characteristics, such         SSN, Name, Credit
    as hair color, height,        Card number,
    skin color, etc.              Address, Phone
                                  number, etc.

   Most of the services has gone to the Internet
        Electronic Commerce
        Electronic Government
        Electronic Learning
        Electronic Marketing
        Electronic Publishing

   To interact in the Internet with this service
    providers, the people use their Digital Identity.

   One of the drawbacks from human centric
    electronic interactions is the fuziness of the
    image of the other partner over the network


   Ensuring security and privacy in a distributed
    communication system as the Internet is
   Crimes related to Identity theft have become a
    major treat to the growth of the commerce over
    the Internet.

   Identity-related misuse and concerns[2]
        Identity theft: Someone wrongfully obtains and
         uses other person’s personal data in some way
         that involves fraud or deception[3].
        Malicious change of Information: Someone
         changes wrongfully personal information of
         somebody else or to himself to do harm or self
        Secondary use: Somebody impersonates
         someone else for personal benefit.
        And the list keeps growing
                               Federated Identity
                                     Some facts

   Below are some institutions and people
    believed to be victim’s of Identity theft.
         Bill Gates
         CIA, NASA, Justice Department
         Wells Fargo
         Bank of America
         Ebay
         UNT?
                          Problem Definition

   The Identity has bring more complexity to the
    business model
   Any person may be using now multiple
    identities to access multiple services providers
    on the Internet
   Multiples identities mean also redundant costs
    and increasing problems
                         Problem Definition

   One of the technologies that has emerged to
    solve the increasing complexity of Identity
    management across multiple organization is
    the Federated Identity
                           Problem Definition

   Federated Identity is a digital credential
    analogous to a country passport[4]
   Trust negotiation model: Is the gradual
    interchange of credentials between two entities,
    with the goal to establish Trust, and finally
    exchanging resources
   Our task is to review proposals of designs of
    an efficient scheme of such Federation
                           Problem Definition

   Different sets of information from the Identity
    may be needed by different organizations
                                                Federated Identity

     A               B               C                 A               B               C

                                                  Name           Credit Card       Passport
Name           Name              Name
                                                  Address        Billing Address   Number
Address        Address           Address
                                                  Phone Number
Phone Number   Phone Number      Phone Number
                                                  PO Box
PO Box         PO Box            PO Box
SSN            SSN               SSN
               Credit Card       Credit Card
               Billing Address   Passport
                              Federated Identity
                          Credentials negotiation

   Disclosure policies
        Credentials combinations are required for
         disclosure of sensitive information
        Negotiation between User and Service
         Providers, and among Service Providers.
                                Federated Identity

   KEY CONCEPTS for Scalability of Federated
        Has to work with Browser as the client side
        Centralized Approach
        Identity or Capability-based credentials
Federated Identity
                            Federated Identity
                        Privilege management

   Both, Federated Identity and Privilege
    Management are cornerstones of a
    Management Framework
   A mechanism for Federated Identity and
    Privilege Management should satisfy at least
    eight requirements:
                                Federated Identity

1.   SSO Single sign on
        Persistency of user identity across the
        enterprise domains, and allows user to transfer
        their authorizations across multiple points of
        policy enforcement
2.   Effective access control
        The access control should be fine grained to
        dynamically evolve enterprise resources.
                               Federated Identity

3.   Decentralized model
        The system should not rely on a centralized
        access point, instead, should be distributed
4.   Authentication for estrangers
        In the new distributed Internet environment,
        there is no more the concept of advanced
        knowledge of identities or capabilities.
                               Federated Identity

5.   Trust, Anatomy and Privacy
        Privacy protection is becoming an increasing
        concern, both from social and legal perspective.
        Is a compromise, since avoiding name-binding,
        complicates trust establishment.
6.   Standardized Approach
        The solution should has the capability to be
        integrated with other systems, using existing
        accepted standards.
                               Federated Identity

7.   Browser Based
        Nobody wants to install client side applications
8.   Technologies issues
        Cookies and JavaScript are been used.
        Nevertheless, they have been proved to be a
        security problem, even though, they are better
        than the other options
                                  Federated Identity
                                      Ideal Scheme

                              1. Request page
                 2. Auto redirect

                   7. Request page

              8. Set ticket

                4. Request credentials

                                                3. Redirect

                       5. Login

6. Redirect w/tickets in header
                              Federated Identity

   MSN Passport
        Developed by Microsoft
   Kerberos
        Developed by MIT
   X.509
        Network Working Group
        Certificate Management Protocol
   RBAC
        Research Proposal
                                 Federated Identity
                                     MSN Passport

                              1. Request page
                 2. Auto redirect

                  7. Request page

              8. Set cookie

               4. Request credentials

                                                3. Redirect

                      5. Login & passport

6. Redirect w/tokens in header
                            Federated Identity
                                MSN Passport

   Centralized Model
   Credentials and no Tickets
   Used to authenticate users of Hotmail and
    MSN Messenger. Other users include Zurich,
   The biggest Federated Identity system is
    Passport, from Microsoft
                            Federated Identity
                                MSN Passport

   Process 3.5 billion authentications each month
   Uses XML as the core
   Uses SSL
   The Passport requires triple DES keys with
    each organization.
   The keys must be generated securely, and
    given to the merchants out of band.
   Some keys were broken because the poor
    randomness of the keys generated
                          Federated Identity
                     MSN Passport - Problems

   Centralized point of attack, against the
    distributed nature of Internet. Vulnerable to
    DoS attacks
   Due to the cookies architecture, a Service can
    impersonate MSN Passport and delete all the
    cookies in the clients (used to DoS attacks).
   JavaScript and cookies technologies have
    been proved to be insecure technologies.
                          Federated Identity
                     MSN Passport - Problems

   Bugs have a great Impact
        MSN found problems many times, bringing down
         all services depending on Passport
        One example was a failure on the Password
         resetting mechanism
                                  Federated Identity

                              1. Request page
                 2. Auto redirect

                   7. Request page

              8. Set ticket

               4. Request credentials

                                                3. Redirect

                       5. Login

6. Redirect w/tokens in header
                              Federated Identity

   Developed by MIT’s project Athena
   Allow mutual authentication and secure
    communications over the network
   Uses symmetric key encryption, and
    authentication credentials
   Authentication credentials are based on
    identity, and are suited for access control lists.
    Main problem for Identity Management are
    centralization, and name biding.
                            Federated Identity
                           Kerberos - Problems

   Kerberos is Identity Based, which gives
    problems for scalability. Key concept: avoid
   Suitable for access roles. Nevertheless,
    symmetric keys are not suited for Federations
    and Distributed Identity Management
                                  Federated Identity

                             1. Request page
                 2. Auto redirect

                   7. Request page
                   w/access privileges

              8. Set privileges

               4. Request credentials

                                               3. Redirect

                       5. Login

6. Redirect w/tokens in header
                            Federated Identity

   X.509 is a Certificate Scheme for
   Based on Public Key Infrastructure (PKI)
   The Access Control Credential is called
    Attribute Certificate
   Asymmetric authentication
   Integrated approach of Authentication and
                              Federated Identity
                                X.509 Problems

   Integrated approach of Authentication and
    Authorization, which is, not good in all contexts.
   This is because not all the system-specific
    capabilities may be know in advance.
   Access control credentials is not sufficient to
    meet effective Access Control requirements.
    Key concept: Not Scalable
        Role-Based Access Control (RBAC)

   Current Enterprise solutions employ a
    combination of physical security, passwords,
    and Role-based Access Control to ensure the
    identity of a user
   Physical security and passwords protect the
    system from intrusion.
   Role-based Access Control limits access to
    documents and data based on a “need to
    know” basis
        Role-Based Access Control (RBAC)

   Access rules are established with sets of
    access pairs which associate users and their
    corresponding permissions:
            (user, permissions)

   While RBAC is supported by many specific
    application packages (Oracle and Sybase, for
    example), the method will be described with a
    brief look at XML
                              Federated Identity
                            XML Public Protocols

   SAML (Security Assertion Markup Protocol)
        XML based
        Avoid limitations of cookies
        SSO Interoperability: Different implementations
         can be compatible
        Web Services: Suited to work on browser
        Federations: Can simplify Federation usability
                                          Federated Identity
                                     XML-Based Doc Security

   X-Sec [5] is one notional XML-Based control
    system with the following component:
        Credential-types (ct) – defined user type
            Example: manager, customer, carrier
            (nct, Pct) where n is the name of the credential and P
             is the set of property specifications for the ct.

                  XML credential-type and corresponding graph representation [5]
                              XML-Based Doc Security

   X-Sec Components (cont)
        Credential – an instantiation of a credential-type
            Specifies the set of properties values characterizing a
             given subject against the credential-type itself
            Physical credentials are certified by the credential

              XML credential and corresponding graph representation [5]
                     XML-Based Doc Security

   X-Sec Components (cont)
        Security Policy Base Template – Specifies
         credential-based security policies based on
         enterprise protection requirements
            Documents to which the policy applies
            Portions of documents within target documents
            Access Modes
            Propagation mode for the policy
                     XML-Based Doc Security

   X-Sec Components (cont)
        Security Policy Base Instantiation
        Example (below)
            Secretaries in sales can access and modify all
             purchase order documents
            UPS employees can access information about the
             customer, carrier, and order id.
                                    XML-Based Doc Security

PRO:                                   CON:
   Highly available in commercial        Often difficult to REMOVE users
                                          Impractical in an open user
   Easy to set up                         environment
   Training is readily available                Not a long-term Internet
   Highly effective in a CLOSED and
    TRUSTED environment                   Passwords can be stolen,
                                           resulting in unauthorized access
                                                 Periodic password changes
                                                  make remembering
                                                  passwords difficult
                                                 Left to their own devices,
                                                  people tend to choose
                                                  passwords that are easy to

        Any and all of a variety of identification techniques which
         are based on some physical, or behavioral
         characteristics of the individual contrasted with the larger
         population. Unique digital identifiers are created from the
         measurement of this characteristic.
        Physiological Biometrics
            Fingerprints, hand and/or finger geometry, eye (retina or iris),
             face, and wrist (vein)
        Behavioral Biometrics
            Voice, signature, typing behavior, and pointing

 User digital template is created during an
  “enrollment period” and stored in a database
 On attempted verification, the relevant template
  is extracted, compared with the data input
         ATM card is still required to point at the correct
          digital template
   Verification is based on statistical techniques of
    comparison between the two

Some devices to use Biometrics

   The eight points can be used to measure if an
    Identity Management Protocol is suited for
    scalability and Federated use.
   Browser features can be used as a metric: Use
    of cookies, use of JavaScript, use of XML

BENCHMARKS for Biometrics
   Template size
   Speed of enrollment
   False Accept Rate
   False Reject Rate

PRO                                   CON
   When it works, it works best         Bad user perceptions
         Generally acceptable in              May be misused
          controlled group settings
                                               May harm eyes
                                         Input quality degrades with
                                         Unacceptable False Reject
                                               17% - facial
                                               10% - finger swipe

   Identity is a key issue on Next Generation
   Any new or already proposed scheme for
    Identity Management should address the eight
    points exposed at least
   All the Identity Management should work with a
    Browser in the client side
                             Conclusions (cont)

   Identity Management paradigms that ensure
    “you are you,” as opposed to “you are who you
    say you are” are absolutely critical to the future
    of e-commerce and electronic information
   Federal Identity can only be successful if the
    services are decentralized
         Not an easy task
                           Conclusions (cont)

   Access control systems will continue to provide
    enterprise solutions for controlled areas for the
    foreseeable future
   Biometrics appears to be the only real solution
    on the horizon, but it is not yet reliable enough
    for use in the general world population.

   Images and icons from
   Icons from CISCO SYSTEMS
   Photo on slide 7, from Wikipedia,

1.   Toby Baier, Christian Zirpins, Winfried Lamersdorf, “Digital Identity: How
     to be someone on the Net”
2.   Peter G. Neumann, “Identity-Related misuse”, Communications of the
3.   US Department of Justice (USDOJ). (2000, June). “Identity theft and
     fraud”. Retrieved July 1, 2004, from the World Wide Web:
4.   E. Bertino, A.Bhargav-Spantzel, A.C.Squicciarini, “Digital Identity
     Management and Trust Negotiation”, CERIAS, Purdue University,
     University of Milan, Milan, Italy

5.   E. Bertino, S. Castano, E. Ferrari. “On Specifying Security Policies for
     Web Documents with an XML-based Language, SACMAT’01, May 3-4,
     2001, Chantilly, Virginia
6.   L. Coventry, A. DeAngeli, G. Johnson. “Usability and Biometric
     Verification at the ATM Interface”. CHI 2003, April 5-10, 2003, Fort
     Lauderdale, FL.

To top