AK IT-Sicherheit 1. Identity Management. Bernd Zwattendorfer Graz,

Transcription

1 AK IT-Sicherheit 1 Identity Management Graz, Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

2 Motivation Ref: Peter Steiner, The New Yorker Graz,

3 Unintended Data Twins Graz,

4 Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz,

5 Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz,

6 Identity who a person is, or the qualities of a person or group that make them different from others Ref: Cambridge Online Dictionaries the fact of being who or what a person or thing is the characteristics determining who or what a person or thing is Ref: Oxford Dictionaries» Appears where the proof of being a particular person or having specific attributes or properties are required» Identity describes a person s unique and distinctive characteristics, distinguishing them from one another» Name, gender, color of hair and eyes,» Identity in real life is often also referred to as principal, within a digital context as subject Graz,

7 Digital Identity Digital identity can be defined as the digital representation of the information known about a specific individual or organization. [Bertino and Takahashi] A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people. [DigitalID World magazine] In an identity management system identity is that set of permanent or long-lived temporal attributes associated with an entity. [Camp]» Same identity properties and attributes, but digitally available» E.g.: name, date of birth,» Also: username, ,» Applicable also to non-natural persons» E.g. computer system, company, Graz,

8 Digital Identity Triangle Digital Identity activates refers to Identifier stands for Person Ref: GINI-SA Graz,

9 Digital Identity Ref: Bertino/Takahashi Graz,

10 Digital Identity» Identifier» Character string identifying a person» May be restricted in time or in the application sector» E.g.: username, , URI, sspin, sourcepin,» Credentials» Credentials for parts or complete identity» Used for proving identifier and/or attributes» E.g.: password, certificate,» Attributes» Describing a person s properties» E.g.: name, date of birth, gender, Graz,

11 Electronic Identity (eid)» Aims to guarantee the unique identity of a person (natural or legal person) ensuring trust between parties involved in electronic transactions» Particularly required in sensitive areas of applications (e.g., e-government)» I-S-A functions» Identification, Signature, Authentication» Features that need to be supported by an eid» universality of coverage, uniqueness, permanence, exclusivity, precision Graz,

12 Identification, Authentication, Authorization Rights Authorization Digital Entity Identification Authentication Identifier Person Ref: GINI-SA Graz,

13 Identification Identification : Identification is the association of a personal identifier with an individual presenting attributes. [Clarke]» Formerly: People knew each other» Traditional: ID card» Passport, identification card, driving license,» Online: Electronic ID (eid), e.g. Austrian Citizen Card Graz,

14 Identification» An association between a personal attribute and an individual, that represents different properties» E.g.: The name Max Mustermann identifies the person Max Mustermann.» Unique identification is only possible if no other person s name is Max Mustermann (within a defined context)» Else additional attributes are required for unique identification (e.g. date of birth, address, ) Graz,

15 Means of Identification Appearance Social behavior Names Codes Option Description Example How the person looks How the person interacts with others What the person is called by other people What the person is called by an organization Knowledge What the person knows Password, PIN Tokens What the person has Color of skin or eyes, gender, Pictures on ID documents Voice, body language, Mobile phone records, video surveillance data, credit card transactions, etc. Family name, name listed in national registry or on passports, nicknames Social security number, matriculation number, ID card numbers Driving license, passport, smart card, mobile phone Bio-dynamics What the person does Pattern of handwritten signature Natural physiography What the person is Fingerprint, retina, DNA Imposed physical characteristics What the person is now Height, weight, rings, necklaces, tattoos Ref: Clarke Graz,

16 Authentication Authentication is proof of an attribute. [Clarke] Authentication of identity is proving an association between an entity and an identifier. [Clarke] The process of verifying a subject s identity or other claim, e.g. one or more attributes. [GINI-SA]» Process of proving a person s claimed identity or digital identity» Traditional:» Proof of identity (name, appearance, ) e.g. by passport» Online:» Proof of identity (username) e.g. using a password Graz,

17 Authentication mechanisms» Having something approach (ownership)» Authentication based on something an entity owns or has for proving her identity.» E.g., passport, smart card, private key» Knowing something approach (knowledge)» Authentication based on presented knowledge» E.g., password, PIN» Being something approach (physical property)» Authentication based on physical property» E.g., fingerprint» Doing something approach (behavior pattern)» Authentication based on something an entity does» E.g., voice recognition Graz,

18 Multi-Factor-Authentication» Combining different authentication mechanisms to increase security» E.g. Ownership and Knowledge (2- factor)» Citizen card (smart card and PIN)» Mobile phone signature (mobile phone and password)» Increased security by increasing the number of mechanisms Graz,

19 Authorization Authorization is a decision to allow a particular action based on an identifier or attribute. [Clarke] Through authorization, rights are assigned to a digital identity. [GINI-SA]» Usually carried out after an authentication process» Assigning access rights to particular resources or entitites» E.g. Read-/write rights on file system» Often based on roles or groups» E.g., doctor, student, etc. Graz,

20 Exceptions» Identification without authentication» Doctor wants to access patient s data» Doctor identifies herself, authenticates herself and gets adequate access rights» Patient is only identified» Authentication without identification» Anonymous credentials (AC)» Prove that someone is older than 18 without revealing other identifying attributes Graz,

21 Summary» Identity» Max Mustermann» Identification» I am Max Mustermann» Authentication» My passport proves that I am Max Mustermann» Authorization» Max Mustermann is employed at company A and is allowed to access Service B Graz,

22 Identity management (IdM) Identity and access management combines processes, technologies, and policies to manage digital identities and specify how they are used to access resources. [Microsoft]» Managing identities» Managing access rights for resources» Managment of the identity lifecycle» Different dimensions» E.g. within a system (e.g. company), network or country Graz,

23 Identity Lifecycle Governance Creation Usage Deletion Maintenance Graz,

24 Identity Lifecycle» Creation» Create data record of the digital identity» Contains different attributes» Attributes may be» self-created, self-declared» proved and verified» Credential is issued Graz,

25 Identity Lifecycle» Usage» Used in different (personalized) services» Authentication and authorization» Transfer/Distribution to other systems (e.g. other companies) respectively system parts (e.g. internal registers/databases)» Single sign-on (SSO) Graz,

26 Identity Lifecycle» Maintenance» Attributes and their values may change (e.g. address)» Attributes may be added or deleted» Attributes may have limited validity(e.g. certificate valid for 1 year)» Identifiers should not be changed Graz,

27 Identity Lifecycle» Deletion» Validity period may expire (e.g. certificates)» Validity may be revoked (e.g. certificates)» Simple deletion» Revocation should be documented and other systems should be informed Graz,

28 Identity Lifecycle» Governance» Policies/guidelines for creation, usage, maintenance and deletion of identities» Policies/guidelines for authentication (e.g. authentication level/strength)» Policies/guidelines for authorization (e.g. conditions for data access)» Legal framework» Audit traceability of single activities Graz,

29 Identity Types» Complete identity» Union of all attribute values of all identities of this person» Partial identities» Different set of attributes forming identities (e.g. at work, social media, ) Ref: FIDIS Graz,

30 Identity Types» Pseudonymous identities» Decoupling of the digital identity from the real person (by a trustworthy entity)» Only the trustworthy entity is able to link back to the real person» E.g. name changed by editorial office» E.g. Used for analysis of health data» Anonymous identities» Decouple the digital identity from the real person» Unlinkability to real person» Normally temporary and for single transactions» E.g. completing a question form Graz,

31 Identity Types» Local identity» Valid only within a closed environment» E.g. Windows PC» Global identity» Valid within a wider context» E.g. passport» Federated identity» Identity data shared and linked over multiple systems» Allows systems the shared usage of identity data» Single sign-on (SSO)» Brokered identity» Identity translation» E.g. from partial identity to pseudonymous identity because of privacy reasons Graz,

32 Identity Threats» Identity linking» Information regarding an identity is collected and a profile is derived» E.g. persistent identifiers, personal details in social networks, requesting more information than needed, selling personal data» Identity theft» One person claims to be another person» E.g. social engineering, eavesdropping communication, credit card fraud» Identity manipulation» An identity s attributes are changed with intent» E.g. modification of access rights» Identity disclosure» An identity s attributes are disclosed» E.g. Intentionally or unintentionally disclosure of health data Ref: Tsolkas/Schmidt Graz,

33 Example for Identity Theft In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iphone, ipad, and MacBook. Mat Honan In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz. Graz,

34 Challenges for Digital Identity» Security» To encounter any identity threat or identity compromise» Privacy» Minimal disclosure, anonymity, unlinkability» Trust» Trust relationships between all involved entities/stakeholders are essential» Data control» Users should be entitled to maximum control over their own personal data» Usability» Easy to understand and usable authentication mechanism» Interoperability» Facilitates the portability of identities» Acceptance of different authentication mechanisms Graz,

35 Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz,

36 Stakeholders Ref: Bertino/Takahashi Graz,

37 Stakeholders» Subject» Digital identity of a person» Provides identity data (attributes) to the identity provider» Identity Provider (IdP)» Provides identity data of the subject to the service provider» Identification, Authentication and Authorization» Relying Party (Service Provider - SP)» Provides services or resources to the subject» Relies on the identity data of the identity provider» Control Party» Checks compliance of policies, guidelines or laws» Contains the possibility for audit, e.g. reproducing an authentication process Graz,

38 Isolated Model Identity Data Provide and access service Service and Identity Provider User Identification and authentication» SP and IdP merge» Authentication directly at the SP» IdM system only applicable for specific SP» Identity data stored and maintained at the individual SP Ref: Jøsang/Pope, 2005 Graz,

39 Central Model Identity Data Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity Provider (IdP) stores identity data» IdP provides identity data to the service provider (SP)» User has no control on actual data transfer User» e.g., Central Authentication Service (CAS), Facebook Ref: Palfrey and Gasser, 2007 Graz,

40 User-Centric Model Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity data stored in user-domain» Usually stored on a secure token (e.g., smart card)» Explicit user consent» e.g., Citizen Card, npa Identity Data User Ref: Palfrey and Gasser, 2007 Graz,

41 Federated Model Identity Data Identity Provider Federation Identity Data Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity data distributed across several identity providers» Appropriate trust relationship between providers required Domain A Domain B User» IdP share common identifier» e.g., Shibboleth, WS- Federation Ref: Palfrey and Gasser, 2007 Graz,

42 Identity Federation Ref: SAML 2.0 Technical Overview Graz,

43 Single Sign-On (SSO) SSO is the ability for a user to authenticate once to a single authentication authority and then access other protected resources without reauthenticating. [Clercq]» Login once use multiple services at the same time Normal login at multiple services SSO-login at multiple services Graz,

44 Single Sign-On (SSO)» Advantages» Only one authentication process» Prevent large number of different passwords» Higher level of security» More user comfort and time savings» Disadvantages» Central point of failure or attack» Key to the kingdom Graz,

45 Single Sign-On (SSO)» Pseudo-SSO system» Local middleware storing different credentials for service providers» Hidden real authentication using the stored credentials at the service providers» E.g. password manager» True-SSO system» Identity Provider as intermediary» One real authentication at the identity provider» Subsequent authentications at service providers based on assertions from the identity provider» E.g. identity protocols Graz,

46 Single Logout (SLO)» Contrary process to SSO» Global logout at all services a user is currently logged in» Important security feature» Logout at one application after SSO can lead to open authentication sessions at other applications Graz,

47 Trust Management Trust is the characteristic whereby one entity is willing to rely upon a second entity to execute a set of actions and/or to make a set of assertions about a set of principals and/or digital identities. In the general sense, trust derives from some relationship (typically a business or organizational relationship) between the entities [Goodner and Nadalin]» Direct Trust» One party fully trusts the other party without any intermediaries or another trusted third party» Indirect Trust» Affected parties rely on claims asserted by an intermediary or a common trusted third party Graz,

48 Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz,

49 Identity Protocols Identity Protocol Identity Provider (IdP) Service Provider (SP) User Graz,

50 Identity Protocols - Terminology Compon ent SAML OpenID OAuth OpenID Connect CAS Service Provider (SP) Service Provider Relying Party Client Client Web Service Subject Subject End User Resource Owner Resource Owner User Identity Provider (IdP) Identity Provider OpenID Provider Authorizatio n Server AND Resource Server Authorizatio n Server AND Resource Server Central Authenticati on Server Graz,

51 SAML» Security Assertion Markup Language» XML-based standard for the secure exchange of identity and authentication data between security domains» Well-established standard for years» SAML 1.0: 2002» SAML 1.1: 2003» SAML 2.0: 2005» Uses existing standards (e.g. XML-Dsig, XML- Enc, SOAP, )» Used within other standards (e.g. WS-Security) Graz,

52 Typical Use-Cases» Web Single Sign-On (SSO)» Authentication at one web site and accessing multiple web sites without re-authentication(even beyond domainborders)» Identity federation» Federation of identity data across multiple systems/domains» Attribute-based authorization» Authorization based on transferred attributes» Securing Web Services» Transportation of structured security information within other standards» Single Logout» Global and simultaneous logout at multiple applications Graz,

53 SAML Architecture SSO Profiles, Single Logout Profile, Attribute Profiles, SOAP Binding, HTTP- Artifact, HTTP-Redirect, HTTP-Post Binding, Authentication Request Protocol, Single Logout Protocol, Authentication, Attribute, Authorization Decision Assertion Ref: SAML 2.0 Technical Overview Graz,

54 SAML Assertion» Assertion = Claim of somebody about somebody» SAML assertions contain different statements» Authentication statement» Max Mustermann authenticated himself on Ocotber 29, 2014 at 09:17 using a smart card.» Attribute statement» Max Mustermann was born on January 1, 1970 and is a lawyer.» Authorization statement» Yes, Max Mustermann is allowed to access this web site. Graz,

55 SAML Assertion Ref: Eve Maler Graz,

56 SAML Assertion - Example SAML Assertion SAML Authentication Statement Graz, SAML Attribute Statement Ref: Eve Maler

57 SAML Protocols» SAML assertions are requested and are returned after successful authentication» SAML defines different XML request/response protocols» The messages are transferred via different communication/transportation protocols (SAML Bindings) Graz,

58 SAML Bindings» SAML via SOAP over HTTP Ref: SAML 2.0 Technical Overview Graz,

59 SAML Profiles» Model the SAML use cases by combining SAML Assertions, SAML Protocols and SAML Bindings» Single sign-on, identity federation, single logout,» Profiles are standardized but own profiles may be created» E.g. STORK, PVP Graz,

60 SAML Login Process Not specified in SAML! Ref: SAML 2.0 Core Graz,

61 SAML SSO Login Process User already authenticated-> SSO! Ref: SAML 2.0 Core Graz,

62 SAML Single Logout Process Ref: SAML 2.0 Core Graz,

63 OpenID» Decentralized authentication and SSO system for web-based services» Identity (identifier) is URL- or XRI-based (e.g. No XML, only URL parameters» Established standard» Version 1.0: 2005» Version 1.1: 2006» Version 2.0: 2007» Replaced by OpenID Connect in 2014 Graz,

64 OpenID Login Process RP Relying Party OP OpenID Provider Ref: Bertino/Takahashi Graz,

65 OpenID Messages» OpenID authentication request GET /moa-id.gv.at/accounts/o8/ud? openid.assoc_handle=1.amlya9vmpyaft &openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspec s.openid.net%2fauth%2f2.0%2fidentifier_select &openid.mode=checkid_setup &openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0 &openid.return_to=http%3a%2f%2fonline.applikation.gv.at &openid.ns.ax= &openid.ax.mode=fetch_request &openid.ax.type.fname= HTTP/1.1» OpenID authentication response &openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0 &openid.mode=id_res &openid.op_endpoint=https%3a%2f%2fmoa-id.gv.at%2faccounts%2fo8%2fud &openid.response_nonce= t15%3a56%3a58zzeh9h37pfqhkmg &openid.return_to=http%3a%2f% online.applikation.gv.at &openid.assoc_handle=1.amlya9vmpyaft &openid.signed=op_endpoint%2cclaimed_id%2cidentity%2creturn_to%2cresponse_nonce%2cassoc_handle &openid.sig=y8jj5je2yleekxyckxrcubyp19e%3d &openid.identity=12345== &openid.claimed_id=12345== &openid.ax.mode=fetch_response &openid.ax.type.fname= &openid.ax.value.fname=max Mustermann Graz,

66 OAuth» Authorization protocol for desktop-, web- and mobile applications» Allows applications to access a user s resources» Users don t have to forward credentials to the application» Established standard» Version 1.0: 2010» Version Graz,

67 OAuth Process Flow Client Service Provider Resource Owner User Authorization Server Handles authentication of the user and authorization of the client Resource Server Server that hosts the protected resource Ref: RFC 6749 Graz,

68 OpenID Connect» Identification and authentication layer based on OAuth 2.0» Authentication instead of authorization» Except the name OpenID Connect protocol has nothing in common with the OpenID protocol» No XML, only URL parameter or JSON» Standard (version 1.0) since February 2014 Graz,

69 OpenID Connect Process Flow Graz,

70 OpenID Connect Messages» UserInfo request GET /userinfo HTTP/1.1 Host: moa-id.gv.at Authorization: Bearer SlAV32hkKG» UserInfo response HTTP/ OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "sub":"12345==", "given_name":"max", "family_name":,"mustermann" "birthdate":," " "gender":,"m" } Graz,

71 Central Authentication Service (CAS)» Central open-source SSO solution» CAS server written in Java» Multiple client libraries (Java, PHP, etc.)» History» Initiated by the University of Yale in 2001» Since 2005 a project of Jasig (Java Architectures Special Interest Group)» Mostly URL parameters, since Version 3.0 parts in XML» Version 1.0: 2001» Version 2.0: 2002» Added proxy authentication» Version 3.0: 2014» New architecture based on plug-ins» Further protocols: CAS 1,2,3; SAML 1.1, OpenID, OAuth 1.0,2.0» Added XML Messages Graz,

72 CAS Process Flow User Web Service (Service Provider) Central Authentication Server 1. Request Access 2. Start Authentication 3. Authenticate 4. Create ticket 5. Send Redirect with ticket 5. Redirect with ticket 6. Send ticket 7. Validate ticket 8. Return User Data 9. Grant Access Graz,

73 CAS Messages» Authentication Request (/login) Redirect with Ticket (/validate) ticket=st aa5yuvrxzpv8tau1cyq7» Authentication Response Yes username CAS 1.0 CAS 3.0 <cas:serviceresponse xmlns:cas=" <cas:authenticationsuccess> <cas:user>username</cas:user> <cas:proxygrantingticket>pgtiou a9d...</cas:proxygrantingticket> </cas:authenticationsuccess> </cas:serviceresponse> Graz,

74 Identity Provider» Google, Facebook, Twitter» SSO using these accounts» Different identity providers and identity protocols» SAML, OpenID, OpenID Connect Graz,

75 Summary Ref: Sakimura Graz,

76 Summary Ref: Sakimura Graz,

77 Summary Ref: Sakimura Graz,

78 Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz,

79 Identity» 2 Z (1), (7), (2) Austrian E-Government Law Identity : designation of a specific person (data subject, No 7) by means of data which are particularly suitable to distinguish persons from each other, such as, in particular, name, date of birth and place of birth but also, for example, company name or (alpha)numerical designations; Data subject : any natural or legal person or other association or institution having its own identity for the purposes of legal or economic relations; Unique identity : designation of a specific person (data subject, No 7) by means of one or more features enabling that data subject to be unmistakably distinguished from all other data subjects; Graz,

80 Identification and Authentication» 2 (4), (5), (6) Austrian E-Government Law Identification : the process necessary to validate or recognise identity; Authenticity : the genuine nature of a declaration of intent or act in the sense that the purported author of that statement or act is in fact the actual author; Authentication : the process necessary to validate or recognise authenticity; Graz,

81 Citizen Card Software (CCS) The Austrian eid Infrastructure SourcePIN Register Authority Domain Central Register of Residents BMR Bilateral Mandate Register (Natural Persons) SourcePIN Register SPR CRR Business Registers (Legal Persons) operated in different organizational domains Central Register of Associations Supplementary Register for Other Concerned Parties Company Register (CR) Mandate Issuing Service (MIS) SourcePIN Register Gateway (SPR-GW) SR Supplementary Register for Natural Persons User Domain Service Provider Domain Citizen MOA-ID Online Application (OA) Austria Foreign Country Foreign Citizen STORK Infrastructure (PEPS) Foreign Identity Provider F-IdP Graz,

82 Central Population Register CPR SRnP Ref: Rössler Unique Identity Every person living in Austria is registered within the CPR and a unique number (CPR number) is assigned to him/her. Foreigners or Austrian expatriates are registered within the Supplementary Register for Natural Persons (SRnP) Graz,

83 Identity Link Electronic Identity» XML-data structure on the Citizen Card contains the following:» Personal data» Name, date of birth» Source PIN» (encrypted CPR Number )» Public Keys of the Certificates» Signed by the SRA» Based on SAML spin... <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physical <pr:identification> <pr:value> </pr:valu <pr:type> </pr:identification> <pr:name> <pr:givenname>max</pr:given <pr:familyname>mustermann</pr:fam </pr:name>... <saml:attribute AttributeName="CitizenPublicKey"... <dsig:rsakeyvalue> <dsig:modulus>snw8olcq49qnefems Identifier Credentials Attributes Ref: Leitold Graz,

84 Sector-specific PIN (sspin) Sector SA (Steuern und Abgaben) Sector CPR 4csabB2 Sector GH (Gesundheit) Sector SA GH No7b99t sspin SA 5cwu4N sspin GH Unique Identity Graz,

85 source PIN: MDEyMzQ1Njc4OWFiY2RlZg== Example sspin(sa): Sector: SA (Steuern und Abgaben) Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:cdid+SA sspin(hex) : 4f 2d 1c f2 c4 4c a4 b3 9c 1a b 2d e2 24 f7 bb c5 97 sspin(base64): Ty0c8sRMpLOcGmaFWy3iJPe7xZc= sspin for the private sector: Firmenbuchnummer: 4924i Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:wbpk+FN+4924i sspin(hex) : 6a 56 fd d0 ba b 1a 5d 93 a4 3c 6a 20 fd sspin(base64): alb9belquhgjwxpdk6q8aid9aia= Graz,

86 MOA-ID (Identification and Authentication) Security Layer MOA-ID (Identity Provider) Online Application (Service Provider) Application sspin Citizen Card + Identity Link Certificate sourcepin Citizen is uniquely identified (identity link) and authenticated by the verification of the electronic signature Identification and Authentification Graz,

87 MOA-ID» High secure authentication» Based on the citizen card (smart card or mobile phone signature)» No first contact respectively registration needed» Unique identification is based on the identity link» Simple integration into online applications» Authentication data are transferred to the online application via SAML Assertion Identity protocol Graz,

88 Previous Deployment Identity protocol User-centric approach Graz,

89 New Deployment Possibilities User-centric approach Graz,

90 Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

91 Screenshot Online Mandates Foreign Persons Graz,

92 Process Flow MOA-ID 1. User wants to access an online application via the portal 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

93 Process Flow MOA-ID 2. Calling MOA-ID via URL &OA= 1 Sector = SA Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

94 2. MOA-ID answers with a Security Layer-request to read the identity link from the citizen card via the citizen card software Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

95 2. MOA-ID answers with a Security Layer-request to read the identity link from the citizen card via the citizen card software <?xml version="1.0" encoding="utf-8"?> <sl:infoboxreadrequest xmlns:sl=" espaces/securitylayer/1.2#"> <sl:infoboxidentifier>identitylink</sl:infob oxidentifier> <sl:binaryfileparameters ContentIsXMLEntity="true"/> </sl:infoboxreadrequest> Web browser DataURL: auth/verifyidentitylink?moasessionid= Security Layer Citizen Card Software Process Flow MOA-ID Portal MOA-ID Signature verification Verify Identity Link 4 5 Online application Graz,

96 2. User enters card PIN or phone number and password Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

97 2. User enters card PIN or phone number and password Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

98 2. Identity link is read from the card and sent to MOA- ID (via DataURL) for verification Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

99 2. IDL is read from card and sent to MOA-ID (via DataURL) for verification 2 Process Flow MOA-ID <saml:assertion AssertionID="bka.gv.at T " IssueInstant=" T18:00:00.000" Issuer=" MajorVersion="1" MinorVersion="0" xmlns="" xmlns:dsig=" xmlns:pr=" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsi=" Webbrowser 2 Bürgerkarten- Umgebung 6 1 Portal <saml:attributestatement> <saml:subject> <saml:subjectconfirmation> <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:sender-vouches</saml:confirmationmethod> <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physicalpersontype"> <pr:identification> 2 <pr:value>3utidda4kaodrjoemqu9pa==</pr:value> MOA-ID Signaturprüfung Match Personenbindung <pr:type>urn:publicid:gv.at:baseid</pr:type> </pr:identification> <pr:name> <pr:givenname>max Moritz</pr:GivenName> 4 5 <pr:familyname primary="undefined">mustermann-fall</pr:familyname> 3 </pr:name> <pr:dateofbirth> </pr:dateofbirth> </pr:person> SL </saml:subjectconfirmationdata> </saml:subjectconfirmation> Online Applikation (OA) </saml:subject> <saml:attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"> <saml:attributevalue> <dsig:rsakeyvalue xmlns:dsig=" Graz,

100 2. MOA-ID verifies the identity link and sends a security layer request for signature creation to the citizen card software Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

101 2. User enters signature PIN or TAN Process Flow MOA-ID 1 Portal Webbrowserbrowser 2 MOA-ID Signature verification Verify Identity Link SL 2 Citizen Card Software Online application Graz,

102 2. MOA-ID verifies signature and creates a SAML Assertion/Artifact Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

103 Process Flow MOA-ID 3. Redirect via citizen card software to the online application (incl. SAML Artifact) AAH5hs Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

104 4. Web service request to MOA-ID (with SAML Artifact) Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

105 4. Web service request to MOA-ID (with SAML Artifact) Process Flow MOA-ID <samlp:request xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol" IssueInstant=" T13:38:32+01:00" MajorVersion="1" MinorVersion="0" RequestID=" "> <samlp:assertionartifact> Webbrowserbrowser AAH5hs8aaZSFYHya0/cmtJ3QAR7rf54uhIsEcDMZFmm Z1/Qldrdf4JSK </samlp:assertionartifact> </samlp:request> Security Layer 2 Citizen Card Software Portal MOA-ID Signature verification Verify Identity Link 4 5 Online application Graz,

106 5. Web service response to online application (with SAML Assertion) Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

107 Process Flow MOA-ID 6. Access to resources granted 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software Online application Graz,

108 Process Flow MOA-ID (new) MOA-ID 2. SAML AuthnRequest 3. Citizen card cuthentication via citizen card software 4. SAML Response Online application 5. Provide Resource 1. Requesting access to application Graz,

109 SAML AuthnRequest Requested authentication level Graz,

110 SAML Response - 1/2 Sector sspin Graz,

111 SAML Response 2/2 Authentication level Additional attributes Graz,

112 Authentication Level» Assurance level of the transmitted identity data» Quantitative representation of identity enrolment, credential, authentication process, etc.» Grounded by risk assessment of applications» Different, but related approaches» NIST SP : Levels of Assurance» ISO/IEC 29115: Levels of Assurance» STORK: Quality Authentication Assurance Level» In Austria: SecClass - Sicherheitsklassen» All have 4 levels Identity Lifecycle - Governance Graz,

113 SecClass Identity component Indicator for the quality of the identification and authentication Registration quality (R) Quality of the identification process (ID) Quality of the identity credential issuing (IC) Quality of the identity credential issuing entity (IE) Authentication quality (A) Type and robustness of the identity credential (RC) Quality of the authentication mechanism (AM) Graz,

114 SecClass Example Component Minimal requirements to the components Quality of the identification process(id) The person has to be physically present in the registration process at least once. AND Stating multiple attributes (e.g. name and date of birth) that allow unique identification. AND The identity is validated using a legal identity document including at least a photograph or a signature (passport, driving licence, ). The data may be validated using trustworthy instruments. Quality of the identity credential issuing (IC) Quality of the identity credential issuing entity (IE) Type and robustness of the identity credentials (RC) Quality of the authentication mechanism (AM) The person receives the identity credential after the identification process personally from the identifying instance. The identity credentials are forwarded by mail and are activated after the identification process. OR The CSP is a public entity (public authority or agency). OR The CSP has qualifications according to Annex II of the EU-Directive 1999/93/EC respectively 7 SigG. Identity credentials based on a qualified hardware-certificate according to Annex I of the EU-Directive 1999/93/EC. (Citizen Card) Secure authentication mechanisms, based on state-of-the-art technology, providing protection against most common threats. Graz,

115 Portal Group (Portalverbund - PVP)» Internal government authentication and authorization system for civil servants» Federation of administration portals for joint usage of existing infrastructure» Decentralized user management» User data is only managed within the sourceorganization (Stammportal)» Users may access multiple applications with only one account» Legal : portal group agreement» Rights and duties for participation defined» Technical : portal group protocol» Reverse-proxy (HTTP header) or SAML Graz,

116 Authorization Portal Group (PG) Portal provider User - representative Portal provider Sourceportal Applicationresponsible PGparticipant xyz.gv.at Application Portal User PGparticipant abc.gv.at Application X Rights management Policy Decision Point (PDP) Rights validation Policy Enforcement Point (PEP) Ref: PV-Whitepaper Graz,

117 PG-Set Up» Portal providers created a group where the portals can authenticate against each other. Therefore, they bilaterally agreed to the portal group agreement (Portalverbundvereinbarung).» The application-responsible of the application X (a data application according to 7(4) DSG 2000) delegates authentication and authorization to the portal provider of the domain xyz.gv.at.» The application-responsible has an application agreement with the organization abc.gv.at for the application X. The application-responsible instructs the portal provider of the portal xyz.gv.at to assign the rights, defined within the usageagreement, to the portal abc.gv.at.» The portal provider of abc.gv.at defines which users of the organization abc.gv.at are allowed to access the application. Ref: PV-Whitepaper Graz,

118 PG-Process Flow» The user (civil servant) authenticates at the source-portal (Stammportal) and the sourceportal authenticates at the application portal.» The source portal defines which application rights are assigned to the user.» The application portal checks if the defined rights allow the civil servant of the requesting organization to access the application.» If access is allowed, the civil servant is forwarded to the target application. The target application enforces the rights. Ref: Pichler Graz,

119 Conclusion» Identity management is essential especially within the area of E- Government» Unique identification» Legal Basis: E-Government law» Austria provides» a user-centered approach for C2G» Identity data stored on the Citizen Card» Identification and Authentication» a federated approach for G2G» Identity protocol: SAML 2.0 Graz,

120 References» E-Government Law: » Fidis: PRIME: GINI-SA: L. J. Camp : Digital Identity. In: Technology and Society Magazine, 2004, R. Clarke: Human identification in Information Systems: Management Challenges and Public Policy Issues, Information Technology & People, 1994, Vol. 7, pp. 6-37, E. Bertino, K. Takahashi: Identity Management: Concepts, Technologies, and Systems, 2011» A. Tsolkas, K. Schmidt: Rollen und Berechtigungskonzepte, 2010» J. Palfrey, U. Gasser: Digital Identity Interoperability and einnovation, 2007» J. D. Clercq: Single Sing-On Architectures, InfraSec 2002, pp » SAML: OpenID: OAUth: OpenID Connect:» N. Sakimura: Dummy s guide for the Difference between OAuth Authentication and OpenID, 2011, MOA-ID: PVP: Graz,

121 Control Questions» Explain the terms identification/authentication/authorization.» What is a multi-factor-authentication? Give an example.» Explain the identity lifecycle.» Which types of identities do you know? Describe the differences.» Enumerate identity management threats?» Which stakeholders are involved within an identity management system?» Describe different IdM architectures.» Which identity protocols do you know? Describe one of them in detail.» Which concepts of IdM are used within Austria?» What are levels of assurance and what are they used for?» Describe the identification and authentication process within MOA-ID.» What is the portal group? Describe the concept. Graz,

122 Thank you for your attention!