Enterprise Identity Management paul.schoebi@cnlab.ch With inputs from : IAM Course; Institute for Internet Technologies and Applications, University of Applied Sciences, Rapperswil, Switzerland 1
Agenda IAM topics and concepts Common technical approaches Security of Internet banking authentication Enterprise Identity Management Electronic Identity Management Identity and Access Management (EIM) (IdM) (IAM) 2
Digital Identity On the Internet, nobody knows you re a dog Cartoon by Peter Steiner, July 5, 1993 The New Yorker (Vol. 69, No. 20) 3
This is why most businesses look like this 4 Source: Gilbert Maurer, Solution Architect, Hewlett Packard (Schweiz), 2005
IdM Three Perspectives In the real world context of engineering online systems, identity management can be given three perspectives: The pure identity paradigm creation, management and deletion of identities without regard to access or entitlements; The user access (log on) paradigm a smart card and its associated data that a customer uses to log on to a service or services (a traditional view); The service paradigm a system that delivers personalized, role based, online, on demand, multimedia (content), presence based services to users and their devices. http://www.wikipedia.org/ wikipedia 5
IAM Process Framework User access Service Identity AM: WM: IM: Access Model Workflow Model Identity Model http://iam wiki.org 6
Generalized Access Control System Scheme (4 A System) Administration System to create identity and authentication information Identity Information Store (ID/PW) System to create policy sets Policy Information Store (R/W/E) Authentication Authentication decision Access decision Authorization Source: Ant Allen, "A Functional Model Auditing Aids Understanding of Identity and Access Management Tools", Gartner Group Research Report ID Number G00130381, 15 December 2005. Audit Log administration activities successful, fildl failed logins (authentication) ti ti accesses (authorization) 7
Gartner IAM Hype Cycle (June 2006) 8
some Wikipedia definitions Active Directory is animplementation ofldapdirectoryservices by Microsoft for use primarily in Windows environments basic authentication scheme is a method designed to allow a web browser, or other client program, to provide credentials in the form of a user name and password when making a request. Federation is a new approach,, which uses standards based protocols to enable one application to assert the identity of a user to another.. Kerberos is a popular mechanism for applications to externalize authentication entirely Single sign on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication i and authorization i data between security domains.. http://www.wikipedia.org/ wikipedia 9
COMMON APPROACHES 10
Windows AD Srv Srv Srv DC Client Client Client DC 11
Windows AD based authentication (KERBEROS setup) User Client DC Target (KERBEROS) PW Ticket Granting Ticket (TGT) TGT Ticket Ticket 12
Windows Smart Card LogOn PIN DC Client PIN Kerberos KDC Certificate t Certificate E PK [TGT] TGT AD user cert............ 13
Web based SSO Srv Client Srv Srv 14
HTTP Basic Authentication Client GET / Server Basic NTLM Digest HTTP/1.1 401 Unauthorized WWW Client WWW authenticate: Basic realm= MyServer" GET / Authorization: Basic QWxhZGRpbjpv WWW Server base64 t Show Document t RFC 2617 HTTP Authentication: Basic and Digest Access Authentication, June 1999. 15
Secure Entry Server (Gateway) setup Srv Srv Client SES Srv Srv Login Srv 16
SSL Client Certificate Authentication User client web server auth srv https://. Client certificate request (challenge) PIN Retrieve secret key Sign challenge response Check signature Retrieve user Check user 17
SECURE INTERNET BANKING AUTHENTICATION 18
Attacks to be considered Fake Login Theft of credentials Phishing (passive) M i t M (Phishing active) Trojans Fake Transactions Session hijacking Session riding (html) Trojans 19
One Time Password: Scratch list Scratch list Scratch list Client uses next password 7563 1329 2009 1223 1569 0909 widely used in Telebanking 7443 1432 2333 Sent to user over 2673 1667 1414 independent channel 7823 3489... Created randomly In use: Raiffeisen 20
Challenge Response: Grid Card (Matrix Karte) Grid card 01 751163 11 132329 21 205609 02 122433 12 154669 22 093109 03 744293 13 149832 23 112333 04 267213 14 166657 24 122414......... In use: Zürcher Kantonalbank Banque Cantonale Vaudoise Grid card Client answers with password upon password number request used in Telebanking Sent to user over independent channel Created randomly 21
Traditional Token Examples Physical Devices Locks Tags/Cards (may be contactless) Special computers Mobile phones (SMS) 22
SMS Authentication http://www.postbank.depostbank Announced by: ZKB Raiffeisen mobile user client server Contract, PIN mtan mtan 23
axsionics Fingerprint reader Flickering interface Large display Optional card reader User token client server challenge challenge finger response response response 24
EMV CAP (Card Authentication Protocol) Karte wird ins PCR gesteckt PCR fragt nach Challenge, Bankenhost generiert Challenge Challenge wird ins PCR eingetippt PCR fragt nach Karten PIN PIN wird ins offline PCR eingetippt Wenn die PIN korrekt ist, generiert der Chip ein One Time Passwort Bankenhost authentifiziert i One Time Passwort Promoted by: Telekurs 25
One Time Password: Dynamic Password Generator Number changes every 60 seconds Time sync allows typically 3 possible codes (3 min interval) Security discussion Dec 2001 due to claimed emulation program In use: Credit Suisse 26
Challenge Response Tools SW: S/Key HW: RSA SecureID Vasco Digipass Token.. In use: UBS Telebanking Migrosbank Smart Card 27
A Classification of measures To protect Login Static Password / PIN Dynamic Scratch list, matrix card PIN Token autonomous Token Challenge / Response SMS token /Axsionics SSL certificate Hard ad Soft User token server PW Code Code To protect Transactions Secure session management autonomous code (TAN) Transaction based code Improve client security 28
The Evaluation Login focus staticdynamic SSL cert Transaction focus passwo ord Scratch list auton. Token C/R tok ken SMS to ken hard soft session mgmt TAN au to Xact TA AN Client S ec login theft of credentials phishing passive M i t M Trojans Transactions session hijack session riding (html) Trojans 29
http://iam wiki.org/home http://www.wikipedia.org http://www.cnlab.ch h http://www.cnlab.ch/en/documents.html THANKSFORYOURATTENTION! 30