1 Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A.
2 Scope and Agenda Scope: Description of attacks against identity management systems and presentation of design principles for secure implementations. Agenda: Identity management definition, protocols and technologies. Threat model: Attack Trees. Design principles for addressing attacks. Conclusions.
3 Identity Management Identity Management: The identification of individuals in a system and the control of their access to resources within that system, by associating user rights and restrictions with an established identity. Identity Federation: The binding of two entities in an identity management system. Protocols: Liberty Alliance Specifications, Shibboleth, MS-Passport, IBM-BBAE. Authentication methods: Passwords, Soft/Hard Certificates, OTP, Challenge-response, Biometrics, Knowledge-based id verification.
4 Problem Definition and Approach Problem: (Federated) Identity management mechanisms are vulnerable to attacks. Approach for addressing the problem: 1. Define vulnerabilities and attacks in detail: Threat Modeling. 2. Assess existing mechanisms against the Threat Model. 3. Design an integrated mechanism for addressing the attacks of the Threat Model.
5 Attack trees: Threat Modeling A formal methodology for analyzing the security of systems and subsystems (Schneier, B. 1999). They provide a way to think about security, to capture and reuse expertise about security, and to respond to changes in security. Attack tree components: Root Node: Final result of the attack = Impact. Leaf Nodes: Attack path. Child Nodes: Groups of vulnerabilities for each part of the process.
6 Threat Model User Impact Business Impact Financial Impact Obloguy Legal Problems Financial Impact Reputation Loss Legal Problems Identity Theft Use of Credentials by Attacker Submission of Credentials to Attacker User Credential Compromise Hidden Code Worms and bots Malicious s User Client Attacks Use of Credentials by Attacker User Credential Compromise User Surveillance Token Stealing Social engineering / E- mail phishing User-side Attacks Use of Credentials by Attacker User Credential Compromise SC Analyzers SC Reader Manipulation OTP window exploit User Credential Guessing Token Attacks Use of Credentials by Attacker User Credential Compromise Direction to Malicious Website Web Page Obsfucation Pharming URL Phishing Use of Credentials by Attacker User Credential Compromise Man-in-themiddle Sniffing Session hijacking Protocol Attacks User Authentication Bypassing
7 Security Assessment Several vulnerabilities have been reported that permit the attacks of the Threat Model: E.g. SAML Artifact profile: Man in the middle and replay attacks.
8 Designing secure solutions - Entities Enable security for all elements in the identity management service provision path: User. User Client. Identity provider: IdP Service: manages identity information on behalf of the users and provides assertions of user authentication to other providers. DiscS: enables various entities to discover a user s registered identity services. Service Provider: Profile Service:exposes a protocol interface to a set of resources, including identity attributes related to the service. Service.
9 IDM Entity Interaction Basic Protocol
10 Principles per element: User & Client Educate the user and create security awareness on the use of credentials. Deploy at least two-factor authentication. For increased security bind the credentials with the user: Biometrics. Knowledge-based identity verification. Deploy client security guidelines but consider clients as insecure.
11 Principles per element: Identity Provider Ensure user identity privacy by deploying the transferring of temporary artifacts. Do not submit real identities but profile pointers. Establish mutual authentication between Identity Provider and Service Provider elements. Add randomness to the messages exchanged and life-limits of exchanged artifacts as an additional countermeasure for replay protection.
12 Principles per element: Service Provider Keep set of attributes linked to profiles securely non exportable / do not submit. Establish mutual authentication between Service Provider and Client. Enable encryption and MAC for establishing confidentiality and integrity in communications. Implement session state management against session hijacking. Harden Service Provision Gateways. Search for Phishing Sites replicating / spoofing the service.
13 Conclusions Attack types vary. Successful attacks may cause financial impact, legal problems or reputation loss to Service Providers and Users. Identity Management systems require a comprehensive ongoing security analysis. All paths in the attack tree should be addressed by studying the whole service provision path, not in an ad-hoc, standalone but in an integrated holistic manner.
14 Thank you Dr. Christos K. Dimitriadis, CISM, CISA Security Officer [W] [ ]