DOCSLIB.ORG

Security, Privacy and Usability Requirements for Federated Identity

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security, Privacy and Usability Requirements for Federated Identity Security, Privacy and Usability Requirements for Federated Identity Michael Hackett and Kirstie Hawkey Faculty of Computer Science Dalhousie University Halifax, Nova Scotia, Canada e-mail: [email protected], [email protected] Abstract—Federated Identity systems promise to solve the about an individual and could become the targets of hackers increasingly vexing problem of password overload. However, and identity thieves. If an identity account is compromised, existing systems, such as OpenID and CardSpace have failed the potential damage could be much more widespread and to gain the expected levels of adoption, due in part to usability and security issues, while proprietary systems such as Facebook devastating for the target individual than if a password to Connect raise serious privacy concerns over their usage of the a single site were compromised. Therefore, the security data collected. In this paper, we examine two new contenders— of these systems must be scrutinized carefully and the BrowserID from Mozilla and WebID from the W3C WebID opportunities for user mishaps minimized. Community Group—and find that, while both offer significant Two newer proposals that are not yet widely deployed but improvements, we were still able to identify a number of important security, privacy, and usability issues that need to which are garnering much attention are WebID [3], [4] and be addressed before beginning to widely deploy these new BrowserID [5], [6]. Both take a decentralized approach to platforms. identity management (where there is no one single central authority, such as Facebook), and aim to provide improved I. INTRODUCTION usability, security and privacy over prior decentralized sys- Federated Identity systems attempt to solve the growing tems, such as OpenID. dilemma among computer users sometimes referred to as In this paper, we focus on analysing some of the key “password fatigue”. According to one recent study [1], the security and privacy claims of these new proposals, with the average computer user has 25 different password-protected goal of raising alarms early in the design process, when the accounts, many of them used only infrequently, creating a developers of these schemes still have the ability to solve situation where it is almost impossible to commit all of those the issues. We will begin with some further background on usernames and passwords to memory. Coping strategies the problem being addressed and some useful terminology include the use of password management software, writing in section II, and then discuss some related projects in down of passwords (often on sticky notes attached to a section III. This will be followed by two sections introducing computer!), and using the same password for all accounts. the two proposal being examined here, BrowserID in sec- In addition to reducing security, these often create a de- tion IV, WebID in section V. Our analysis of the protocols pendency on a particular device (where the passwords are on a number of key issues appears in section VI, followed stored) or item (such as a notebook) or location (such as by our future work and conclusions. one’s desk), such that the person may be unable to use their “accessible anywhere” accounts whenever he or she is away II. BACKGROUND from their particular storage medium. When using a Federated Identity, an individual need only Although the different proposals described herein gener- remember one set of credentials in order to gain access to ally share many of the same concepts, their specifications all services, without needing to share those credentials with often use different terminology for these concepts. For ease the service providers. OpenID [2] is one well-known attempt of comparison, this paper uses the following terms, based on to create such a system, but adoption has been hindered by those given by Maler and Reed [7], noting the corresponding usability and security issues. Proprietary systems, such as term wherever one of the official specifications differs. Facebook Connect and Microsoft Passport, have made some • A service provider (SP) is some web site or service that gains in usability, but they raise serious privacy concerns for the user must sign into to use. When the SP depends on many users, as the companies operating these systems are a third party for identity authentication, it is often called able to track users’ activity and make use of the information a relying party (RP), because it relies on the external they obtain, including making a user’s activity public without authentication service. his or her consent or knowledge. • An identity provider (IdP) is another web site or service Another concern is that, for all their convenience, these whose job is to verify or provide information to aid in identity accounts are the keys to a great deal of information verifying the identity of a user. • A user agent (UA) is a web browser or other software Microsoft’s CardSpace [11], [12] uses the metaphor of application that communicates with a remote system on Information Cards that are analogous to the physical identity behalf of the user. and membership cards most of us carry in our wallets. Each Although both WebID and BrowserID can be used for card holds either a collection of identity attributes (referred authenticating software agents (that is, automated systems) to as claims) or a link to an IdP that can supply such as well as human users, for simplicity we will simply use information on demand. Just as in a physical wallet, users the term user for both cases. (The X.509 specification [8] may have cards from several different IdPs, and can choose uses the term subject to mean “person or system”, but this the one the that is most appropriate for a given context, word has several other meanings as well, so we find user to such as using a government-issued ID to vote online, or be more clear in this context.) a self-issued card containing only an email address for a Also, throughout the paper, in the name of grammatical web discussion board. With claims-based identity, a user expediency, we will use the conventional user “Alice” to might be able to use any one of a number of cards to satisfy stand in for a general user of either system. a particular RP’s authentication request, provided the card Note that while federated identity systems are often re- includes the requested claims and is issued by an authority ferred to single sign-on (SSO)—probably a more end-user- that the RP trusts. friendly term—this is not strictly accurate. In a true SSO Yet, despite bundling the CardSpace client with Windows system, one would not be required to sign into each site Vista and Windows 7, thus ensuring an installed base of mil- separately; once you had signed into your identity account, lions of potential users, claims-based identity has not gained you would automatically be recognized at each cooperating traction with service providers, and Microsoft decided to site that you visited. This can be convenient, and might cancel the product in February 2011. Service providers did be a reasonable default within an organization, but many not see any compelling advantages to implementing support, users would not be comfortable with applying it to the and users “were often confused by their first encounter with entire Internet. They may want to use different identities CardSpace” [13], finding it too complicated in comparison on some sites and have the option of anonymity on others. with the username/password forms to which they had be- Furthermore, it would be inconvenient to have to remember come accustomed. In addition, Microsoft admitted that the to sign out of one identity and into another for each site. lack of tools for service providers for creating claims-ready Both BrowserID and WebID give you the option to either services was another factor in the lack of uptake [14]. select an identity to share with each service provider, or Nonetheless, other groups remain interested in the In- to not share one; they never share anything without your formation Card concept. Higgins1 and openinfocard2 are explicit consent. While slightly less convenient, from a two open-source projects that have also built Information privacy perspective, this is probably what most people would Card clients. The Higgins project, for example, has experi- prefer. (That said, it would almost certainly be possible for mented with several alternative client implementations, such someone to create a user agent that did immediately sign as a Firefox-based browser extension (without the native into every compatible site automatically, if that was what platform component that CardSpace required) and clients some users wanted.) for mobile phones. They have also created native client applications for Linux and Mac OS X, and introduced a web III. RELATED WORK service to solve the problem of sharing Information Cards Of course, neither BrowserID nor WebID is the first across devices, with the active clients becoming simple attempt to solve the digital identity problem. OpenID is shells that interfaced with the web service. perhaps the best known decentralized web identity system. However, in addition to the aforementioned lack of service It uses URLs to identify users, and users are free to choose provider interest in claims-based authentication, a lack of their identity providers, or may even set up their own IdP. visibility and an overly technical installation process have As OpenID “does not require any pre-established trust rela- further limited Higgins’s appeal to a niche of developers tionships between IdPs and [RPs]” [9], the barriers to entry and researchers. Also, some aspects of the card selection for new IdPs and RPs are low. OpenID adoption by users, interface have been identified as “overly intrusive and annoy- however, has been hindered by usability issues—particularly ing,” particularly when returning to previously visited sites with respect to inconsistencies in the sign-in interface [10]— or having to select multiple cards to satisfy a request.
Load more

Recommended publications
  • Dod Enterpriseidentity, Credential, and Access Management (ICAM)
    UNCLASSIFIED DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design Version 1.0 June 2020 Prepared by Department of Defense, Office of the Chief Information Officer (DoD CIO) DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS. UNCLASSIFIED UNCLASSIFIED Document Approvals Prepared By: N. Thomas Lam IE/Architecture and Engineering Department of Defense, Office of the Chief Information Officer (DoD CIO) Thomas J Clancy, COL US Army CS/Architecture and Capability Oversight, DoD ICAM Lead Department of Defense, Office of the Chief Information Officer (DoD CIO) Approved By: Peter T. Ranks Deputy Chief Information Officer for Information Enterprise (DCIO IE) Department of Defense, Office of the Chief Information Officer (DoD CIO) John (Jack) W. Wilmer III Deputy Chief Information Officer for Cyber Security (DCIO CS) Department of Defense, Office of the Chief Information Officer (DoD CIO) ii UNCLASSIFIED UNCLASSIFIED Version History Version Date Approved By Summary of Changes 1.0 TBD TBD Renames and replaces the IdAM Portfolio Description dated August 2015 and the IdAM Reference Architecture dated April 2014. (Existing IdAM SDs and TADs will remain valid until updated versions are established.) Updates name from Identity and Access Management (IdAM) to Identity, Credential, and Access Management (ICAM) to align with Federal government terminology Removes and cancels
    [Show full text]
  • Verified Implementations of the Information Card Federated Identity
    Verified Implementations of the Information Card Federated Identity-Management Protocol Karthikeyan Bhargavan∗ Cédric Fournet∗ Andrew D. Gordon∗ Nikhil Swamy† ∗Microsoft Research †University of Maryland, College Park ABSTRACT We describe reference implementations for selected configurations of the user authentication protocol defined by the Information Card Profile V1.0. Our code can interoperate with existing implemen- tations of the roles of the protocol (client, identity provider, and relying party). We derive formal proofs of security properties for our code using an automated theorem prover. Hence, we obtain the most substantial examples of verified implementations of crypto- graphic protocols to date, and the first for any federated identity- management protocols. Moreover, we present a tool that down- loads security policies from services and identity providers and Figure 1: InfoCard: Card-based User Authentication compiles them to a verifiably secure client proxy. Categories and Subject Descriptors and (2) to check consistency between the reference implementation and the informal specification in the same way as for any imple- D.2.4 [Software Engineering]: Software/Program Verification mentation, via interoperability testing with other implementations. This paper reports the techniques underpinning the most com- Security, Verification General Terms plex examples to date of such verified implementations. Keywords Information Card Profile V1.0 (InfoCard). We have built and Cryptographic protocol verification, Verified implementations, Web verified reference implementations of various configurations of the Services Security, Federated identity management, CardSpace. card-based user authentication protocol defined by the Information Card Profile V1.0 [InfoCard Guide, Nanda, 2006]. We refer to this 1. INTRODUCTION protocol as InfoCard. InfoCard is the core of a federated identity-management frame- Verified Reference Implementations of Protocols.
    [Show full text]
  • City Research Online
    Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) City Research Online Original citation: Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) Permanent City Research Online URL: http://openaccess.city.ac.uk/11891/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at [email protected]. Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment A Thesis Submitted to City University London, School of Engineering and Mathematical Sciences In
    [Show full text]
  • Cardspace Web Integration
    A Guide to Supporting Information Cards within Web Applications and Browsers as of the Information Card Profile V1.0 December 2006 Author Michael B. Jones Microsoft Corporation Copyright Notice © 2006 Microsoft Corporation. All rights reserved. Abstract The Identity Metasystem allows users to manage their digital identities from various identity providers and employ them in different contexts where they are accepted to access online services. In the Identity Metasystem, identities are represented to users as “Information Cards” (a.k.a. “InfoCards”). One important class of applications where Information Card- based authentication can be used is applications hosted on web sites and accessed through web browsers. This paper documents the web interfaces utilized by browsers and web applications that support the Identity Metasystem. The information in this document is not specific to any one browser or platform. This document supplements the information provided in two other Information Card Profile references: the Guide to the Information Card Profile V1.0 [InfoCard-Guide], which provides a non-normative description of the overall Information Card model, and the Technical Reference for the Information Card Profile V1.0 [InfoCard-Ref], which provides the normative schema definitions and behaviors referenced by the Guide to the Information Card Profile V1.0. Status The Information Card Profile V1.0 was used to implement Windows CardSpace V1.0, which is part of Microsoft .NET Framework 3.0 [.NET3.0], and Internet Explorer 7. Other implementations following these specifications should be able to interoperate with the Microsoft implementation. Version 1.0 Page 1 of 13 Table of Contents 1. Introduction 2.
    [Show full text]
  • Security Policy Page 1 of 20
    Security Policy Page 1 of 20 Security Policy This security policy contains data to configure services and network security based on the server’s role, as well as data to configure registry and auditing settings. Server: VENGWIN207 Services Service Name Startup Mode Description Issues, manages, and removes X.509 certificates for such applications such as Active Directory Certificate S/MIME and SSL. If the service is stopped, Disabled Services certificates will not be issued. If this service is disabled, any services that explicitly depend on it will fail to start. AD DS Domain Controller service. If this service is stopped, users will be unable to log Active Directory Domain Services Disabled on to the network. If this service is disabled, any services that explicitly depend on it will fail to start. AD FS Web Agent Authentication The AD FS Web Agent Authentication Service Disabled Service validates incoming tokens and cookies. Adobe Acrobat Updater keeps your Adobe Adobe Acrobat Update Service Automatic software up to date. Sends logging messages to the logging database when logging is enabled for the Active Directory Rights Management Services role. If this service is disabled or stopped AdRmsLoggingService Disabled when logging is enabled, logging messages will be stored in local message queues and sent to the logging database when the service is started. Processes application compatibility cache Application Experience Disabled requests for applications as they are launched Provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this Application Host Helper Service Disabled service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work.
    [Show full text]
  • A One-Page Introduction to Windows Cardspace Michael B
    A One-Page Introduction to Windows CardSpace Michael B. Jones, Microsoft Corporation, January 2007 © 2007 Microsoft Corporation. All rights reserved. Many of the problems facing the Internet today stem from the lack of a widely deployed, easily understood, secure identity solution. Microsoft’s Windows CardSpace software and the “Identity Metasystem” protocols underlying it are aimed at filling this gap using technology all can adopt and solutions all can endorse, putting people in control of their identity interactions on the Internet. One problem people face is knowing whether they’re at a legitimate web site or a malicious site. This is an identity problem: a problem with reliably identifying authentic sites to their users. People also face numerous problems in identifying themselves to the sites they use. Username/password authentication is the prevailing paradigm, but its weaknesses are all too evident on today’s Internet. Password reuse, insecure passwords, forgotten passwords, and poor password management practices open a world of attacks by themselves. Combine that with the password theft attacks enabled by counterfeit web sites and man-in-the-middle attacks and today’s Internet is an attacker’s paradise. CardSpace is part of the solution to all of these problems. The Windows CardSpace software enables people to maintain a set of personal digital identities that are shown to them as visual “Information Cards”. These cards are easier to use than passwords. Furthermore, they employ strong cryptography, making them significantly more secure than passwords and other information typed into web forms. There are three participants in any digital identity interaction using CardSpace: Identity Providers issue digital identities for you.
    [Show full text]
  • Federated Identity and Trust Management
    Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage employee, business partner, and customer identities. The relationship between the business and these individuals can change frequently, and each change requires an administrative action. For the individuals also the situation is unsatisfactory, because they need to create separate accounts at all the businesses that they access. A federation is defined as a group of two or more business partners who work together. This federation can be formed to provide a better experience for their mutual customers, to reduce identity management costs, or both. For example, a financial institution might want to provide seamless access for their high-value clients to financial market information provided by a third-party research firm. Government departments might want to collaborate to provide a single citizen login for their government services. A small online store might not want to manage large numbers of customer records and instead prefer to partner with a financial institution to provide that service. In all of these cases, the businesses need to work together to create a business federation. Business federations are built on trust relationships. These trust relationships are created using out-of-band business and legal agreements between the federation participants. These agreements must be in place before a federation can begin to operate.1 After the business and legal agreements are in place, these partners can begin to operate together using technology that supports the federation arrangements.
    [Show full text]
  • The 7 Things You Should Know About Federated Identity Management
    THINGS YOU SHOULD KNOW ABOUT… FEDERated IDENTITY Management What is it? Identity management refers to the policies, processes, and technologies that establish user identities and enforce rules about Scenario access to digital resources. In a campus setting, many information Gillian’s graduate work in oceanography involves enormous systems—such as e-mail, learning management systems, library da- amounts of water-quality data from many sources along the tabases, and grid computing applications—require users to authen- Atlantic seaboard as well as the West Coast. From her insti- ticate themselves (typically with a username and password). An tution in Florida, she collects and analyzes data sets from authorization process then determines which systems an authenti- laboratories and oceanographic facilities affiliated with oth- cated user is permitted to access. With an enterprise identity man- er colleges and universities, government agencies, and even agement system, rather than having separate credentials for each some private organizations. Not only do these entities share system, a user can employ a single digital identity to access all re- data with Gillian from their underwater instrumentation, but sources to which the user is entitled. Federated identity manage- some also allow her to remotely access specialized applica- ment permits extending this approach above the enterprise level, tions they have developed. creating a trusted authority for digital identities across multiple or- ganizations. In a federated system, participating institutions share Enabling this level of collaboration to take place in a man- identity attributes based on agreed-upon standards, facilitating ageable way is a federated identity system that includes all authentication from other members of the federation and granting of the organizations in Gillian’s research as members.
    [Show full text]
  • Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect
    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user.
    [Show full text]
  • Tweakhound, Windows 7 Beta Default Services
    Sheet1 Name Startup Type Adaptive Brightness Manual AppID Service Manual Application Experience Manual Application Information Manual Application Layer Gateway Service Manual Application Management Manual Background Intelligent Transfer Service Automatic (Delayed Start) Base Filtering Engine Automatic BitLocker Drive Encryption Service Manual Block Level Backup Engine Service Manual Bluetooth Support Service Manual BranchCache Manual Certificate Propagation Manual CNG Key Isolation Manual COM+ Event System Automatic COM+ System Application Manual Computer Browser Automatic Credential Manager Service Manual Cryptographic Services Automatic DCOM Server Process Launcher Automatic Desktop Window Manager Session Manager Automatic DHCP Client Automatic Diagnostic Policy Service Automatic Diagnostic Service Host Manual Diagnostic System Host Manual Disk Defragmenter Manual Distributed Link Tracking Client Automatic Distributed Transaction Coordinator Manual DNS Client Automatic Encrypting File System (EFS) Manual Extensible Authentication Protocol Manual Fax Manual Function Discovery Provider Host Manual Function Discovery Resource Publication Automatic Group Policy Client Automatic Health Key and Certificate Management Manual HomeGroup Listener Manual HomeGroup Provider Manual Human Interface Device Access Manual IKE and AuthIP IPsec Keying Modules Automatic Interactive Services Detection Manual Internet Connection Sharing (ICS) Disabled IP Helper Automatic IPsec Policy Agent Manual KtmRm for Distributed Transaction Coordinator Manual Link-Layer
    [Show full text]
  • Identity Platform Allows Users to Authenticate to Your Applications and Services, Like Multi- Tenant Saas Applications, Mobile/Web Apps, Games, Apis and More
    1/25/2020 Authentication Identity Platform allows users to authenticate to your applications and services, like multi- tenant SaaS applications, mobile/web apps, games, APIs and more. Identity Platform provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform. Identity Platform provides backend services and works with the easy-to-use SDKs and ready- made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook, Twitter, and any provider that supports SAML or OpenID Connect protocol. Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. You can use the SDK to integrate one or more sign-in methods into your app. Authentication using the SDK Email and password based Authenticate users with their email addresses and passwords. The SDK pro authentication methods to create and manage users that use their email addresses and pa to sign in. Identity Platform also handles sending password reset emails. iOS (https://rebase.google.com/docs/auth/ios/password-auth) Android (https://rebase.google.com/docs/auth/android/password-auth Web (https://rebase.google.com/docs/auth/web/password-auth) C++ (https://rebase.google.com/docs/auth/cpp/password-auth) Unity (https://rebase.google.com/docs/auth/unity/password-auth) Federated identity provider Authenticate users by integrating with federated identity providers. The SD integration methods that allow users to sign in with their Google, Facebook, Twitter, an accounts.
    [Show full text]
  • Detecting Abuse of Authentication Mechanisms
    National Security Agency | Cybersecurity Advisory Detecting Abuse of Authentication Mechanisms Summary Malicious cyber actors are abusing trust in federated authentication environments to access protected data. The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources. The actors demonstrate two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email. In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure [1]. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017 [2]. In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.
    [Show full text]