Enterprise Identity Management

Transcription

1 Enterprise Identity Management With inputs from : IAM Course; Institute for Internet Technologies and Applications, University of Applied Sciences, Rapperswil, Switzerland 1

2 Agenda IAM topics and concepts Common technical approaches Security of Internet banking authentication Enterprise Identity Management Electronic Identity Management Identity and Access Management (EIM) (IdM) (IAM) 2

3 Digital Identity On the Internet, nobody knows you re a dog Cartoon by Peter Steiner, July 5, 1993 The New Yorker (Vol. 69, No. 20) 3

4 This is why most businesses look like this 4 Source: Gilbert Maurer, Solution Architect, Hewlett Packard (Schweiz), 2005

5 IdM Three Perspectives In the real world context of engineering online systems, identity management can be given three perspectives: The pure identity paradigm creation, management and deletion of identities without regard to access or entitlements; The user access (log on) paradigm a smart card and its associated data that a customer uses to log on to a service or services (a traditional view); The service paradigm a system that delivers personalized, role based, online, on demand, multimedia (content), presence based services to users and their devices. wikipedia 5

6 IAM Process Framework User access Service Identity AM: WM: IM: Access Model Workflow Model Identity Model wiki.org 6

7 Generalized Access Control System Scheme (4 A System) Administration System to create identity and authentication information Identity Information Store (ID/PW) System to create policy sets Policy Information Store (R/W/E) Authentication Authentication decision Access decision Authorization Source: Ant Allen, "A Functional Model Auditing Aids Understanding of Identity and Access Management Tools", Gartner Group Research Report ID Number G , 15 December Audit Log administration activities successful, fildl failed logins (authentication) ti ti accesses (authorization) 7

8 Gartner IAM Hype Cycle (June 2006) 8

9 some Wikipedia definitions Active Directory is animplementation ofldapdirectoryservices by Microsoft for use primarily in Windows environments basic authentication scheme is a method designed to allow a web browser, or other client program, to provide credentials in the form of a user name and password when making a request. Federation is a new approach,, which uses standards based protocols to enable one application to assert the identity of a user to another.. Kerberos is a popular mechanism for applications to externalize authentication entirely Single sign on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication i and authorization i data between security domains.. wikipedia 9

10 COMMON APPROACHES 10

11 Windows AD Srv Srv Srv DC Client Client Client DC 11

12 Windows AD based authentication (KERBEROS setup) User Client DC Target (KERBEROS) PW Ticket Granting Ticket (TGT) TGT Ticket Ticket 12

13 Windows Smart Card LogOn PIN DC Client PIN Kerberos KDC Certificate t Certificate E PK [TGT] TGT AD user cert

14 Web based SSO Srv Client Srv Srv 14

15 HTTP Basic Authentication Client GET / Server Basic NTLM Digest HTTP/ Unauthorized WWW Client WWW authenticate: Basic realm= MyServer" GET / Authorization: Basic QWxhZGRpbjpv WWW Server base64 t Show Document t RFC 2617 HTTP Authentication: Basic and Digest Access Authentication, June

16 Secure Entry Server (Gateway) setup Srv Srv Client SES Srv Srv Login Srv 16

17 SSL Client Certificate Authentication User client web server auth srv Client certificate request (challenge) PIN Retrieve secret key Sign challenge response Check signature Retrieve user Check user 17

18 SECURE INTERNET BANKING AUTHENTICATION 18

19 Attacks to be considered Fake Login Theft of credentials Phishing (passive) M i t M (Phishing active) Trojans Fake Transactions Session hijacking Session riding (html) Trojans 19

20 One Time Password: Scratch list Scratch list Scratch list Client uses next password widely used in Telebanking Sent to user over independent channel Created randomly In use: Raiffeisen 20

21 Challenge Response: Grid Card (Matrix Karte) Grid card In use: Zürcher Kantonalbank Banque Cantonale Vaudoise Grid card Client answers with password upon password number request used in Telebanking Sent to user over independent channel Created randomly 21

22 Traditional Token Examples Physical Devices Locks Tags/Cards (may be contactless) Special computers Mobile phones (SMS) 22

23 SMS Authentication Announced by: ZKB Raiffeisen mobile user client server Contract, PIN mtan mtan 23

24 axsionics Fingerprint reader Flickering interface Large display Optional card reader User token client server challenge challenge finger response response response 24

25 EMV CAP (Card Authentication Protocol) Karte wird ins PCR gesteckt PCR fragt nach Challenge, Bankenhost generiert Challenge Challenge wird ins PCR eingetippt PCR fragt nach Karten PIN PIN wird ins offline PCR eingetippt Wenn die PIN korrekt ist, generiert der Chip ein One Time Passwort Bankenhost authentifiziert i One Time Passwort Promoted by: Telekurs 25

26 One Time Password: Dynamic Password Generator Number changes every 60 seconds Time sync allows typically 3 possible codes (3 min interval) Security discussion Dec 2001 due to claimed emulation program In use: Credit Suisse 26

27 Challenge Response Tools SW: S/Key HW: RSA SecureID Vasco Digipass Token.. In use: UBS Telebanking Migrosbank Smart Card 27

28 A Classification of measures To protect Login Static Password / PIN Dynamic Scratch list, matrix card PIN Token autonomous Token Challenge / Response SMS token /Axsionics SSL certificate Hard ad Soft User token server PW Code Code To protect Transactions Secure session management autonomous code (TAN) Transaction based code Improve client security 28

29 The Evaluation Login focus staticdynamic SSL cert Transaction focus passwo ord Scratch list auton. Token C/R tok ken SMS to ken hard soft session mgmt TAN au to Xact TA AN Client S ec login theft of credentials phishing passive M i t M Trojans Transactions session hijack session riding (html) Trojans 29

30 wiki.org/home h THANKSFORYOURATTENTION! 30