AK IT-Sicherheit 1. Identity Management. Bernd Zwattendorfer Graz, 29.10.2014

AK IT-Sicherheit 1 Identity Management Graz, 29.10.2014 Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

Motivation Ref: Peter Steiner, The New Yorker Graz, 29.10.2014 2

Unintended Data Twins Graz, 29.10.2014 3

Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz, 29.10.2014 4

Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz, 29.10.2014 5

Identity who a person is, or the qualities of a person or group that make them different from others Ref: Cambridge Online Dictionaries the fact of being who or what a person or thing is the characteristics determining who or what a person or thing is Ref: Oxford Dictionaries» Appears where the proof of being a particular person or having specific attributes or properties are required» Identity describes a person s unique and distinctive characteristics, distinguishing them from one another» Name, gender, color of hair and eyes,» Identity in real life is often also referred to as principal, within a digital context as subject Graz, 29.10.2014 6

Digital Identity Digital identity can be defined as the digital representation of the information known about a specific individual or organization. [Bertino and Takahashi] A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people. [DigitalID World magazine] In an identity management system identity is that set of permanent or long-lived temporal attributes associated with an entity. [Camp]» Same identity properties and attributes, but digitally available» E.g.: name, date of birth,» Also: username, e-mail,» Applicable also to non-natural persons» E.g. computer system, company, Graz, 29.10.2014 7

Digital Identity Triangle Digital Identity activates refers to Identifier j.c@addr.dom stands for Person Ref: GINI-SA Graz, 29.10.2014 8

Digital Identity Ref: Bertino/Takahashi Graz, 29.10.2014 9

Digital Identity» Identifier» Character string identifying a person» May be restricted in time or in the application sector» E.g.: username, e-mail, URI, sspin, sourcepin,» Credentials» Credentials for parts or complete identity» Used for proving identifier and/or attributes» E.g.: password, certificate,» Attributes» Describing a person s properties» E.g.: name, date of birth, gender, Graz, 29.10.2014 10

Electronic Identity (eid)» Aims to guarantee the unique identity of a person (natural or legal person) ensuring trust between parties involved in electronic transactions» Particularly required in sensitive areas of applications (e.g., e-government)» I-S-A functions» Identification, Signature, Authentication» Features that need to be supported by an eid» universality of coverage, uniqueness, permanence, exclusivity, precision Graz, 29.10.2014 11

Identification, Authentication, Authorization Rights Authorization Digital Entity Identification Authentication Identifier Person Ref: GINI-SA Graz, 29.10.2014 12

Identification Identification : Identification is the association of a personal identifier with an individual presenting attributes. [Clarke]» Formerly: People knew each other» Traditional: ID card» Passport, identification card, driving license,» Online: Electronic ID (eid), e.g. Austrian Citizen Card Graz, 29.10.2014 13

Identification» An association between a personal attribute and an individual, that represents different properties» E.g.: The name Max Mustermann identifies the person Max Mustermann.» Unique identification is only possible if no other person s name is Max Mustermann (within a defined context)» Else additional attributes are required for unique identification (e.g. date of birth, address, ) Graz, 29.10.2014 14

Means of Identification Appearance Social behavior Names Codes Option Description Example How the person looks How the person interacts with others What the person is called by other people What the person is called by an organization Knowledge What the person knows Password, PIN Tokens What the person has Color of skin or eyes, gender, Pictures on ID documents Voice, body language, Mobile phone records, video surveillance data, credit card transactions, etc. Family name, name listed in national registry or on passports, nicknames Social security number, matriculation number, ID card numbers Driving license, passport, smart card, mobile phone Bio-dynamics What the person does Pattern of handwritten signature Natural physiography What the person is Fingerprint, retina, DNA Imposed physical characteristics What the person is now Height, weight, rings, necklaces, tattoos Ref: Clarke Graz, 29.10.2014 15

Authentication Authentication is proof of an attribute. [Clarke] Authentication of identity is proving an association between an entity and an identifier. [Clarke] The process of verifying a subject s identity or other claim, e.g. one or more attributes. [GINI-SA]» Process of proving a person s claimed identity or digital identity» Traditional:» Proof of identity (name, appearance, ) e.g. by passport» Online:» Proof of identity (username) e.g. using a password Graz, 29.10.2014 16

Authentication mechanisms» Having something approach (ownership)» Authentication based on something an entity owns or has for proving her identity.» E.g., passport, smart card, private key» Knowing something approach (knowledge)» Authentication based on presented knowledge» E.g., password, PIN» Being something approach (physical property)» Authentication based on physical property» E.g., fingerprint» Doing something approach (behavior pattern)» Authentication based on something an entity does» E.g., voice recognition Graz, 29.10.2014 17

Multi-Factor-Authentication» Combining different authentication mechanisms to increase security» E.g. Ownership and Knowledge (2- factor)» Citizen card (smart card and PIN)» Mobile phone signature (mobile phone and password)» Increased security by increasing the number of mechanisms Graz, 29.10.2014 18

Authorization Authorization is a decision to allow a particular action based on an identifier or attribute. [Clarke] Through authorization, rights are assigned to a digital identity. [GINI-SA]» Usually carried out after an authentication process» Assigning access rights to particular resources or entitites» E.g. Read-/write rights on file system» Often based on roles or groups» E.g., doctor, student, etc. Graz, 29.10.2014 19

Exceptions» Identification without authentication» Doctor wants to access patient s data» Doctor identifies herself, authenticates herself and gets adequate access rights» Patient is only identified» Authentication without identification» Anonymous credentials (AC)» Prove that someone is older than 18 without revealing other identifying attributes Graz, 29.10.2014 20

Summary» Identity» Max Mustermann» Identification» I am Max Mustermann» Authentication» My passport proves that I am Max Mustermann» Authorization» Max Mustermann is employed at company A and is allowed to access Service B Graz, 29.10.2014 21

Identity management (IdM) Identity and access management combines processes, technologies, and policies to manage digital identities and specify how they are used to access resources. [Microsoft]» Managing identities» Managing access rights for resources» Managment of the identity lifecycle» Different dimensions» E.g. within a system (e.g. company), network or country Graz, 29.10.2014 22

Identity Lifecycle Governance Creation Usage Deletion Maintenance Graz, 29.10.2014 23

Identity Lifecycle» Creation» Create data record of the digital identity» Contains different attributes» Attributes may be» self-created, self-declared» proved and verified» Credential is issued Graz, 29.10.2014 24

Identity Lifecycle» Usage» Used in different (personalized) services» Authentication and authorization» Transfer/Distribution to other systems (e.g. other companies) respectively system parts (e.g. internal registers/databases)» Single sign-on (SSO) Graz, 29.10.2014 25

Identity Lifecycle» Maintenance» Attributes and their values may change (e.g. address)» Attributes may be added or deleted» Attributes may have limited validity(e.g. certificate valid for 1 year)» Identifiers should not be changed Graz, 29.10.2014 26

Identity Lifecycle» Deletion» Validity period may expire (e.g. certificates)» Validity may be revoked (e.g. certificates)» Simple deletion» Revocation should be documented and other systems should be informed Graz, 29.10.2014 27

Identity Lifecycle» Governance» Policies/guidelines for creation, usage, maintenance and deletion of identities» Policies/guidelines for authentication (e.g. authentication level/strength)» Policies/guidelines for authorization (e.g. conditions for data access)» Legal framework» Audit traceability of single activities Graz, 29.10.2014 28

Identity Types» Complete identity» Union of all attribute values of all identities of this person» Partial identities» Different set of attributes forming identities (e.g. at work, social media, ) Ref: FIDIS Graz, 29.10.2014 29

Identity Types» Pseudonymous identities» Decoupling of the digital identity from the real person (by a trustworthy entity)» Only the trustworthy entity is able to link back to the real person» E.g. name changed by editorial office» E.g. Used for analysis of health data» Anonymous identities» Decouple the digital identity from the real person» Unlinkability to real person» Normally temporary and for single transactions» E.g. completing a question form Graz, 29.10.2014 30

Identity Types» Local identity» Valid only within a closed environment» E.g. Windows PC» Global identity» Valid within a wider context» E.g. passport» Federated identity» Identity data shared and linked over multiple systems» Allows systems the shared usage of identity data» Single sign-on (SSO)» Brokered identity» Identity translation» E.g. from partial identity to pseudonymous identity because of privacy reasons Graz, 29.10.2014 31

Identity Threats» Identity linking» Information regarding an identity is collected and a profile is derived» E.g. persistent identifiers, personal details in social networks, requesting more information than needed, selling personal data» Identity theft» One person claims to be another person» E.g. social engineering, eavesdropping communication, credit card fraud» Identity manipulation» An identity s attributes are changed with intent» E.g. modification of access rights» Identity disclosure» An identity s attributes are disclosed» E.g. Intentionally or unintentionally disclosure of health data Ref: Tsolkas/Schmidt Graz, 29.10.2014 32

Example for Identity Theft In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iphone, ipad, and MacBook. Mat Honan In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz. http://www.wired.com/gadgetlab/2012/08/appleamazon-mat-honan-hacking/ Graz, 29.10.2014 33

Challenges for Digital Identity» Security» To encounter any identity threat or identity compromise» Privacy» Minimal disclosure, anonymity, unlinkability» Trust» Trust relationships between all involved entities/stakeholders are essential» Data control» Users should be entitled to maximum control over their own personal data» Usability» Easy to understand and usable authentication mechanism» Interoperability» Facilitates the portability of identities» Acceptance of different authentication mechanisms Graz, 29.10.2014 34

Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz, 29.10.2014 35

Stakeholders Ref: Bertino/Takahashi Graz, 29.10.2014 36

Stakeholders» Subject» Digital identity of a person» Provides identity data (attributes) to the identity provider» Identity Provider (IdP)» Provides identity data of the subject to the service provider» Identification, Authentication and Authorization» Relying Party (Service Provider - SP)» Provides services or resources to the subject» Relies on the identity data of the identity provider» Control Party» Checks compliance of policies, guidelines or laws» Contains the possibility for audit, e.g. reproducing an authentication process Graz, 29.10.2014 37

Isolated Model Identity Data Provide and access service Service and Identity Provider User Identification and authentication» SP and IdP merge» Authentication directly at the SP» IdM system only applicable for specific SP» Identity data stored and maintained at the individual SP Ref: Jøsang/Pope, 2005 Graz, 29.10.2014 38

Central Model Identity Data Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity Provider (IdP) stores identity data» IdP provides identity data to the service provider (SP)» User has no control on actual data transfer User» e.g., Central Authentication Service (CAS), Facebook Ref: Palfrey and Gasser, 2007 Graz, 29.10.2014 39

User-Centric Model Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity data stored in user-domain» Usually stored on a secure token (e.g., smart card)» Explicit user consent» e.g., Citizen Card, npa Identity Data User Ref: Palfrey and Gasser, 2007 Graz, 29.10.2014 40

Federated Model Identity Data Identity Provider Federation Identity Data Identity Provider Identification and authentication Identity data transfer Service Provider Provide and access service» Identity data distributed across several identity providers» Appropriate trust relationship between providers required Domain A Domain B User» IdP share common identifier» e.g., Shibboleth, WS- Federation Ref: Palfrey and Gasser, 2007 Graz, 29.10.2014 41

Identity Federation Ref: SAML 2.0 Technical Overview Graz, 29.10.2014 42

Single Sign-On (SSO) SSO is the ability for a user to authenticate once to a single authentication authority and then access other protected resources without reauthenticating. [Clercq]» Login once use multiple services at the same time Normal login at multiple services SSO-login at multiple services Graz, 29.10.2014 43

Single Sign-On (SSO)» Advantages» Only one authentication process» Prevent large number of different passwords» Higher level of security» More user comfort and time savings» Disadvantages» Central point of failure or attack» Key to the kingdom Graz, 29.10.2014 44

Single Sign-On (SSO)» Pseudo-SSO system» Local middleware storing different credentials for service providers» Hidden real authentication using the stored credentials at the service providers» E.g. password manager» True-SSO system» Identity Provider as intermediary» One real authentication at the identity provider» Subsequent authentications at service providers based on assertions from the identity provider» E.g. identity protocols Graz, 29.10.2014 45

Single Logout (SLO)» Contrary process to SSO» Global logout at all services a user is currently logged in» Important security feature» Logout at one application after SSO can lead to open authentication sessions at other applications Graz, 29.10.2014 46

Trust Management Trust is the characteristic whereby one entity is willing to rely upon a second entity to execute a set of actions and/or to make a set of assertions about a set of principals and/or digital identities. In the general sense, trust derives from some relationship (typically a business or organizational relationship) between the entities [Goodner and Nadalin]» Direct Trust» One party fully trusts the other party without any intermediaries or another trusted third party» Indirect Trust» Affected parties rely on claims asserted by an intermediary or a common trusted third party Graz, 29.10.2014 47

Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz, 29.10.2014 48

Identity Protocols Identity Protocol Identity Provider (IdP) Service Provider (SP) User Graz, 29.10.2014 49

Identity Protocols - Terminology Compon ent SAML OpenID OAuth OpenID Connect CAS Service Provider (SP) Service Provider Relying Party Client Client Web Service Subject Subject End User Resource Owner Resource Owner User Identity Provider (IdP) Identity Provider OpenID Provider Authorizatio n Server AND Resource Server Authorizatio n Server AND Resource Server Central Authenticati on Server Graz, 29.10.2014 50

SAML» Security Assertion Markup Language» XML-based standard for the secure exchange of identity and authentication data between security domains» Well-established standard for years» SAML 1.0: 2002» SAML 1.1: 2003» SAML 2.0: 2005» Uses existing standards (e.g. XML-Dsig, XML- Enc, SOAP, )» Used within other standards (e.g. WS-Security) Graz, 29.10.2014 51

Typical Use-Cases» Web Single Sign-On (SSO)» Authentication at one web site and accessing multiple web sites without re-authentication(even beyond domainborders)» Identity federation» Federation of identity data across multiple systems/domains» Attribute-based authorization» Authorization based on transferred attributes» Securing Web Services» Transportation of structured security information within other standards» Single Logout» Global and simultaneous logout at multiple applications Graz, 29.10.2014 52

SAML Architecture SSO Profiles, Single Logout Profile, Attribute Profiles, SOAP Binding, HTTP- Artifact, HTTP-Redirect, HTTP-Post Binding, Authentication Request Protocol, Single Logout Protocol, Authentication, Attribute, Authorization Decision Assertion Ref: SAML 2.0 Technical Overview Graz, 29.10.2014 53

SAML Assertion» Assertion = Claim of somebody about somebody» SAML assertions contain different statements» Authentication statement» Max Mustermann authenticated himself on Ocotber 29, 2014 at 09:17 using a smart card.» Attribute statement» Max Mustermann was born on January 1, 1970 and is a lawyer.» Authorization statement» Yes, Max Mustermann is allowed to access this web site. Graz, 29.10.2014 54

SAML Assertion Ref: Eve Maler Graz, 29.10.2014 55

SAML Assertion - Example SAML Assertion SAML Authentication Statement Graz, 29.10.2014 56 SAML Attribute Statement Ref: Eve Maler

SAML Protocols» SAML assertions are requested and are returned after successful authentication» SAML defines different XML request/response protocols» The messages are transferred via different communication/transportation protocols (SAML Bindings) Graz, 29.10.2014 57

SAML Bindings» SAML via SOAP over HTTP Ref: SAML 2.0 Technical Overview Graz, 29.10.2014 58

SAML Profiles» Model the SAML use cases by combining SAML Assertions, SAML Protocols and SAML Bindings» Single sign-on, identity federation, single logout,» Profiles are standardized but own profiles may be created» E.g. STORK, PVP Graz, 29.10.2014 59

SAML Login Process Not specified in SAML! Ref: SAML 2.0 Core Graz, 29.10.2014 60

SAML SSO Login Process User already authenticated-> SSO! Ref: SAML 2.0 Core Graz, 29.10.2014 61

SAML Single Logout Process Ref: SAML 2.0 Core Graz, 29.10.2014 62

OpenID» Decentralized authentication and SSO system for web-based services» Identity (identifier) is URL- or XRI-based (e.g. http://user@myopenid.com)» No XML, only URL parameters» Established standard» Version 1.0: 2005» Version 1.1: 2006» Version 2.0: 2007» Replaced by OpenID Connect in 2014 Graz, 29.10.2014 63

OpenID Login Process RP Relying Party OP OpenID Provider Ref: Bertino/Takahashi Graz, 29.10.2014 64

OpenID Messages» OpenID authentication request GET /moa-id.gv.at/accounts/o8/ud? openid.assoc_handle=1.amlya9vmpyaft &openid.claimed_id=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0%2fidentifier_select&openid.identity=http%3a%2f%2fspec s.openid.net%2fauth%2f2.0%2fidentifier_select &openid.mode=checkid_setup &openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0 &openid.return_to=http%3a%2f%2fonline.applikation.gv.at &openid.ns.ax=http://openid.net/srv/ax/1.0 &openid.ax.mode=fetch_request &openid.ax.type.fname=http://example.com/schema/fullname HTTP/1.1» OpenID authentication response http://online.applikation.gv.at/openid_finish? &openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0 &openid.mode=id_res &openid.op_endpoint=https%3a%2f%2fmoa-id.gv.at%2faccounts%2fo8%2fud &openid.response_nonce=2013-08-23t15%3a56%3a58zzeh9h37pfqhkmg &openid.return_to=http%3a%2f% online.applikation.gv.at &openid.assoc_handle=1.amlya9vmpyaft &openid.signed=op_endpoint%2cclaimed_id%2cidentity%2creturn_to%2cresponse_nonce%2cassoc_handle &openid.sig=y8jj5je2yleekxyckxrcubyp19e%3d &openid.identity=12345== &openid.claimed_id=12345== &openid.ax.mode=fetch_response &openid.ax.type.fname=http://example.com/schema/fullname &openid.ax.value.fname=max Mustermann Graz, 29.10.2014 65

OAuth» Authorization protocol for desktop-, web- and mobile applications» Allows applications to access a user s resources» Users don t have to forward credentials to the application» Established standard» Version 1.0: 2010» Version 2.0 2012 Graz, 29.10.2014 66

OAuth Process Flow Client Service Provider Resource Owner User Authorization Server Handles authentication of the user and authorization of the client Resource Server Server that hosts the protected resource Ref: RFC 6749 Graz, 29.10.2014 67

OpenID Connect» Identification and authentication layer based on OAuth 2.0» Authentication instead of authorization» Except the name OpenID Connect protocol has nothing in common with the OpenID protocol» No XML, only URL parameter or JSON» Standard (version 1.0) since February 2014 Graz, 29.10.2014 68

OpenID Connect Process Flow Graz, 29.10.2014 69

OpenID Connect Messages» UserInfo request GET /userinfo HTTP/1.1 Host: moa-id.gv.at Authorization: Bearer SlAV32hkKG» UserInfo response HTTP/1.1 200 OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "sub":"12345==", "given_name":"max", "family_name":,"mustermann" "birthdate":,"01-01-1990" "gender":,"m" } Graz, 29.10.2014 70

Central Authentication Service (CAS)» Central open-source SSO solution» CAS server written in Java» Multiple client libraries (Java, PHP, etc.)» History» Initiated by the University of Yale in 2001» Since 2005 a project of Jasig (Java Architectures Special Interest Group)» Mostly URL parameters, since Version 3.0 parts in XML» Version 1.0: 2001» Version 2.0: 2002» Added proxy authentication» Version 3.0: 2014» New architecture based on plug-ins» Further protocols: CAS 1,2,3; SAML 1.1, OpenID, OAuth 1.0,2.0» Added XML Messages Graz, 29.10.2014 71

CAS Process Flow User Web Service (Service Provider) Central Authentication Server 1. Request Access 2. Start Authentication 3. Authenticate 4. Create ticket 5. Send Redirect with ticket 5. Redirect with ticket 6. Send ticket 7. Validate ticket 8. Return User Data 9. Grant Access Graz, 29.10.2014 72

CAS Messages» Authentication Request (/login) https://cas.example.org/cas/login?service=http%3a%2f%2fwww.example.org%2fservice» Redirect with Ticket (/validate) https://cas.example.org/cas/validate?service=http%3a%2f%2fwww.example.org%2fservice& ticket=st-1856339-aa5yuvrxzpv8tau1cyq7» Authentication Response Yes username CAS 1.0 CAS 3.0 <cas:serviceresponse xmlns:cas="http://www.yale.edu/tp/cas"> <cas:authenticationsuccess> <cas:user>username</cas:user> <cas:proxygrantingticket>pgtiou-84678-8a9d...</cas:proxygrantingticket> </cas:authenticationsuccess> </cas:serviceresponse> Graz, 29.10.2014 73

Identity Provider» Google, Facebook, Twitter» SSO using these accounts» Different identity providers and identity protocols» SAML, OpenID, OpenID Connect Graz, 29.10.2014 74

Summary Ref: Sakimura Graz, 29.10.2014 75

Summary Ref: Sakimura Graz, 29.10.2014 76

Summary Ref: Sakimura Graz, 29.10.2014 77

Overview» General» Terms, definitions» Identification, authentication, authorization» Identity management» Identity models» Different architectures» Identity protocols» SAML, OpenID, OpenID Connect, CAS» Identity management in Austria» Citizen-to-Government (MOA-ID)» Government-to-Government (PVP) Graz, 29.10.2014 78

Identity» 2 Z (1), (7), (2) Austrian E-Government Law Identity : designation of a specific person (data subject, No 7) by means of data which are particularly suitable to distinguish persons from each other, such as, in particular, name, date of birth and place of birth but also, for example, company name or (alpha)numerical designations; Data subject : any natural or legal person or other association or institution having its own identity for the purposes of legal or economic relations; Unique identity : designation of a specific person (data subject, No 7) by means of one or more features enabling that data subject to be unmistakably distinguished from all other data subjects; Graz, 29.10.2014 79

Identification and Authentication» 2 (4), (5), (6) Austrian E-Government Law Identification : the process necessary to validate or recognise identity; Authenticity : the genuine nature of a declaration of intent or act in the sense that the purported author of that statement or act is in fact the actual author; Authentication : the process necessary to validate or recognise authenticity; Graz, 29.10.2014 80

Citizen Card Software (CCS) The Austrian eid Infrastructure SourcePIN Register Authority Domain Central Register of Residents BMR Bilateral Mandate Register (Natural Persons) SourcePIN Register SPR CRR Business Registers (Legal Persons) operated in different organizational domains Central Register of Associations Supplementary Register for Other Concerned Parties Company Register (CR) Mandate Issuing Service (MIS) SourcePIN Register Gateway (SPR-GW) SR Supplementary Register for Natural Persons User Domain Service Provider Domain Citizen MOA-ID Online Application (OA) Austria Foreign Country Foreign Citizen STORK Infrastructure (PEPS) Foreign Identity Provider F-IdP Graz, 29.10.2014 81

Central Population Register CPR SRnP Ref: Rössler Unique Identity Every person living in Austria is registered within the CPR and a unique number (CPR number) is assigned to him/her. Foreigners or Austrian expatriates are registered within the Supplementary Register for Natural Persons (SRnP) Graz, 29.10.2014 82

Identity Link Electronic Identity» XML-data structure on the Citizen Card contains the following:» Personal data» Name, date of birth» Source PIN» (encrypted CPR Number )» Public Keys of the Certificates» Signed by the SRA» Based on SAML spin... <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physical <pr:identification> <pr:value>123456789012</pr:valu <pr:type>http://reference.e-g </pr:identification> <pr:name> <pr:givenname>max</pr:given <pr:familyname>mustermann</pr:fam </pr:name>... <saml:attribute AttributeName="CitizenPublicKey"... <dsig:rsakeyvalue> <dsig:modulus>snw8olcq49qnefems Identifier Credentials Attributes Ref: Leitold Graz, 29.10.2014 83 83

Sector-specific PIN (sspin) Sector SA (Steuern und Abgaben) Sector CPR 4csabB2 Sector GH (Gesundheit) Sector SA GH No7b99t sspin SA 5cwu4N sspin GH Unique Identity Graz, 29.10.2014 84 84

source PIN: MDEyMzQ1Njc4OWFiY2RlZg== Example sspin(sa): Sector: SA (Steuern und Abgaben) Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:cdid+SA sspin(hex) : 4f 2d 1c f2 c4 4c a4 b3 9c 1a 66 85 5b 2d e2 24 f7 bb c5 97 sspin(base64): Ty0c8sRMpLOcGmaFWy3iJPe7xZc= sspin for the private sector: Firmenbuchnummer: 4924i Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:wbpk+FN+4924i sspin(hex) : 6a 56 fd 04 42 d0 ba 18 09 5b 1a 5d 93 a4 3c 6a 20 fd 00 80 sspin(base64): alb9belquhgjwxpdk6q8aid9aia= Graz, 29.10.2014 85

MOA-ID (Identification and Authentication) Security Layer MOA-ID (Identity Provider) Online Application (Service Provider) Application sspin Citizen Card + Identity Link Certificate sourcepin Citizen is uniquely identified (identity link) and authenticated by the verification of the electronic signature Identification and Authentification Graz, 29.10.2014 86

MOA-ID» High secure authentication» Based on the citizen card (smart card or mobile phone signature)» No first contact respectively registration needed» Unique identification is based on the identity link» Simple integration into online applications» Authentication data are transferred to the online application via SAML Assertion Identity protocol Graz, 29.10.2014 87

Previous Deployment Identity protocol User-centric approach Graz, 29.10.2014 88

New Deployment Possibilities User-centric approach Graz, 29.10.2014 89

Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 90

Screenshot Online Mandates Foreign Persons Graz, 29.10.2014 91

Process Flow MOA-ID 1. User wants to access an online application via the portal 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 92

Process Flow MOA-ID 2. Calling MOA-ID via URL https://moa-id.gv.at/moa-idauth/startauthentication?target=sa &OA=http://oa.gv.at 1 Sector = SA Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 93

2. MOA-ID answers with a Security Layer-request to read the identity link from the citizen card via the citizen card software Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 94

2. MOA-ID answers with a Security Layer-request to read the identity link from the citizen card via the citizen card software <?xml version="1.0" encoding="utf-8"?> <sl:infoboxreadrequest xmlns:sl="http://www.buergerkarte.at/nam espaces/securitylayer/1.2#"> <sl:infoboxidentifier>identitylink</sl:infob oxidentifier> <sl:binaryfileparameters ContentIsXMLEntity="true"/> </sl:infoboxreadrequest> Web browser DataURL: https://moa-id.gv.at/moa-id- auth/verifyidentitylink?moasessionid=- 2 8402548209267330385 Security Layer Citizen Card Software Process Flow MOA-ID 2 2 3 6 1 Portal MOA-ID Signature verification Verify Identity Link 4 5 Online application Graz, 29.10.2014 95

2. User enters card PIN or phone number and password Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 96

2. User enters card PIN or phone number and password Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 97

2. Identity link is read from the card and sent to MOA- ID (via DataURL) for verification Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 98

2. IDL is read from card and sent to MOA-ID (via DataURL) for verification 2 Process Flow MOA-ID <saml:assertion AssertionID="bka.gv.at-2007-08-29T16.41.17.442" IssueInstant="2007-08-29T18:00:00.000" Issuer="http://www.bka.gv.at/datenschutz/Stammzahlenregisterbehoerde" MajorVersion="1" MinorVersion="0" xmlns="" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> Webbrowser 2 Bürgerkarten- Umgebung 6 1 Portal <saml:attributestatement> <saml:subject> <saml:subjectconfirmation> <saml:confirmationmethod>urn:oasis:names:tc:saml:1.0:cm:sender-vouches</saml:confirmationmethod> <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physicalpersontype"> <pr:identification> 2 <pr:value>3utidda4kaodrjoemqu9pa==</pr:value> MOA-ID Signaturprüfung Match Personenbindung <pr:type>urn:publicid:gv.at:baseid</pr:type> </pr:identification> <pr:name> <pr:givenname>max Moritz</pr:GivenName> 4 5 <pr:familyname primary="undefined">mustermann-fall</pr:familyname> 3 </pr:name> <pr:dateofbirth>1900-01-01</pr:dateofbirth> </pr:person> SL </saml:subjectconfirmationdata> </saml:subjectconfirmation> Online Applikation (OA) </saml:subject> <saml:attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"> <saml:attributevalue> <dsig:rsakeyvalue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> Graz, 29.10.2014 99

2. MOA-ID verifies the identity link and sends a security layer request for signature creation to the citizen card software Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 100

2. User enters signature PIN or TAN Process Flow MOA-ID 1 Portal Webbrowserbrowser 2 MOA-ID Signature verification Verify Identity Link SL 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 101

2. MOA-ID verifies signature and creates a SAML Assertion/Artifact Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 102

Process Flow MOA-ID 3. Redirect via citizen card software to the online application (incl. SAML Artifact) https://oa.gv.at?samlartifact= AAH5hs8... 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 103

4. Web service request to MOA-ID (with SAML Artifact) Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 104

4. Web service request to MOA-ID (with SAML Artifact) Process Flow MOA-ID <samlp:request xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol" IssueInstant="2009-02-24T13:38:32+01:00" MajorVersion="1" MinorVersion="0" RequestID="6125563722598650316"> <samlp:assertionartifact> Webbrowserbrowser AAH5hs8aaZSFYHya0/cmtJ3QAR7rf54uhIsEcDMZFmm Z1/Qldrdf4JSK </samlp:assertionartifact> </samlp:request> Security Layer 2 Citizen Card Software 2 2 3 6 1 Portal MOA-ID Signature verification Verify Identity Link 4 5 Online application Graz, 29.10.2014 105

5. Web service response to online application (with SAML Assertion) Process Flow MOA-ID 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 106

Process Flow MOA-ID 6. Access to resources granted 1 Portal Web browser 2 MOA-ID Signature verification Verify Identity Link Security Layer 2 Citizen Card Software 2 3 6 4 5 Online application Graz, 29.10.2014 107

Process Flow MOA-ID (new) MOA-ID 2. SAML AuthnRequest 3. Citizen card cuthentication via citizen card software 4. SAML Response Online application 5. Provide Resource 1. Requesting access to application Graz, 29.10.2014 108

SAML AuthnRequest Requested authentication level Graz, 29.10.2014 109

SAML Response - 1/2 Sector sspin Graz, 29.10.2014 110

SAML Response 2/2 Authentication level Additional attributes Graz, 29.10.2014 111

Authentication Level» Assurance level of the transmitted identity data» Quantitative representation of identity enrolment, credential, authentication process, etc.» Grounded by risk assessment of applications» Different, but related approaches» NIST SP 800-63: Levels of Assurance» ISO/IEC 29115: Levels of Assurance» STORK: Quality Authentication Assurance Level» In Austria: SecClass - Sicherheitsklassen» All have 4 levels Identity Lifecycle - Governance Graz, 29.10.2014 112

SecClass Identity component Indicator for the quality of the identification and authentication Registration quality (R) Quality of the identification process (ID) Quality of the identity credential issuing (IC) Quality of the identity credential issuing entity (IE) Authentication quality (A) Type and robustness of the identity credential (RC) Quality of the authentication mechanism (AM) Graz, 29.10.2014 113

SecClass Example Component Minimal requirements to the components Quality of the identification process(id) The person has to be physically present in the registration process at least once. AND Stating multiple attributes (e.g. name and date of birth) that allow unique identification. AND The identity is validated using a legal identity document including at least a photograph or a signature (passport, driving licence, ). The data may be validated using trustworthy instruments. Quality of the identity credential issuing (IC) Quality of the identity credential issuing entity (IE) Type and robustness of the identity credentials (RC) Quality of the authentication mechanism (AM) The person receives the identity credential after the identification process personally from the identifying instance. The identity credentials are forwarded by mail and are activated after the identification process. OR The CSP is a public entity (public authority or agency). OR The CSP has qualifications according to Annex II of the EU-Directive 1999/93/EC respectively 7 SigG. Identity credentials based on a qualified hardware-certificate according to Annex I of the EU-Directive 1999/93/EC. (Citizen Card) Secure authentication mechanisms, based on state-of-the-art technology, providing protection against most common threats. Graz, 29.10.2014 114

Portal Group (Portalverbund - PVP)» Internal government authentication and authorization system for civil servants» Federation of administration portals for joint usage of existing infrastructure» Decentralized user management» User data is only managed within the sourceorganization (Stammportal)» Users may access multiple applications with only one account» Legal : portal group agreement» Rights and duties for participation defined» Technical : portal group protocol» Reverse-proxy (HTTP header) or SAML Graz, 29.10.2014 115

Authorization Portal Group (PG) Portal provider User - representative Portal provider Sourceportal Applicationresponsible PGparticipant xyz.gv.at Application Portal User PGparticipant abc.gv.at Application X Rights management Policy Decision Point (PDP) Rights validation Policy Enforcement Point (PEP) Ref: PV-Whitepaper Graz, 29.10.2014 116

PG-Set Up» Portal providers created a group where the portals can authenticate against each other. Therefore, they bilaterally agreed to the portal group agreement (Portalverbundvereinbarung).» The application-responsible of the application X (a data application according to 7(4) DSG 2000) delegates authentication and authorization to the portal provider of the domain xyz.gv.at.» The application-responsible has an application agreement with the organization abc.gv.at for the application X. The application-responsible instructs the portal provider of the portal xyz.gv.at to assign the rights, defined within the usageagreement, to the portal abc.gv.at.» The portal provider of abc.gv.at defines which users of the organization abc.gv.at are allowed to access the application. Ref: PV-Whitepaper Graz, 29.10.2014 117

PG-Process Flow» The user (civil servant) authenticates at the source-portal (Stammportal) and the sourceportal authenticates at the application portal.» The source portal defines which application rights are assigned to the user.» The application portal checks if the defined rights allow the civil servant of the requesting organization to access the application.» If access is allowed, the civil servant is forwarded to the target application. The target application enforces the rights. Ref: Pichler Graz, 29.10.2014 118

Conclusion» Identity management is essential especially within the area of E- Government» Unique identification» Legal Basis: E-Government law» Austria provides» a user-centered approach for C2G» Identity data stored on the Citizen Card» Identification and Authentication» a federated approach for G2G» Identity protocol: SAML 2.0 Graz, 29.10.2014 119

References» E-Government Law: http://www.ris.bka.gv.at/geltendefassung.wxe?abfrage=bundesnormen&gesetzesnummer=20 003230» Fidis: http://www.fidis.net» PRIME: https://www.prime-project.eu» GINI-SA: http://www.gini-sa.eu» L. J. Camp : Digital Identity. In: Technology and Society Magazine, 2004, http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1337889» R. Clarke: Human identification in Information Systems: Management Challenges and Public Policy Issues, Information Technology & People, 1994, Vol. 7, pp. 6-37, http://www.rogerclarke.com/dv/humanid.html» E. Bertino, K. Takahashi: Identity Management: Concepts, Technologies, and Systems, 2011» A. Tsolkas, K. Schmidt: Rollen und Berechtigungskonzepte, 2010» J. Palfrey, U. Gasser: Digital Identity Interoperability and einnovation, 2007» J. D. Clercq: Single Sing-On Architectures, InfraSec 2002, pp. 40-58» SAML: http://saml.xml.org» OpenID: http://openid.net» OAUth: http://oauth.net» OpenID Connect:» N. Sakimura: Dummy s guide for the Difference between OAuth Authentication and OpenID, 2011, http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauthauthentication-and-openid/» MOA-ID: https://joinup.ec.europa.eu/software/moa-idspss_de/description» PVP: http://reference.e-government.gv.at/portalverbund.577.0.html Graz, 29.10.2014 120

Control Questions» Explain the terms identification/authentication/authorization.» What is a multi-factor-authentication? Give an example.» Explain the identity lifecycle.» Which types of identities do you know? Describe the differences.» Enumerate identity management threats?» Which stakeholders are involved within an identity management system?» Describe different IdM architectures.» Which identity protocols do you know? Describe one of them in detail.» Which concepts of IdM are used within Austria?» What are levels of assurance and what are they used for?» Describe the identification and authentication process within MOA-ID.» What is the portal group? Describe the concept. Graz, 29.10.2014 121

Thank you for your attention! bernd.zwattendorfer@egiz.gv.at www.egiz.gv.at