OATH Reference Architecture, Release 2.0 Initiative for Open Authentication (OATH)

Total Page:16

File Type:pdf, Size:1020Kb

OATH Reference Architecture, Release 2.0 Initiative for Open Authentication (OATH) OATH Reference Architecture, Release 2.0 Initiative for Open AuTHentication (OATH) The Initiative for Open AuTHentication (OATH) welcomes input, suggestions, and other feedback on this work from as broad a range of industry participants as possible, in order to improve its quality. Feedback should be sent to [email protected]. If you are interested in getting more information about OATH or joining OATH, please contact [email protected] or visit http://www.openauthentication.org. Copyright(c) 2004-2007, Initiative for Open AuTHentication. All Rights Reserved. OATH Reference Architecture, Release 2.0 1 OATH Reference Architecture, Release 2.0 2 CONTENTS 1. Executive Summary................................................................................................................ 5 2. Abbreviations.......................................................................................................................... 6 3. OATH Vision and Goals......................................................................................................... 8 4. Usage Scenarios.................................................................................................................... 10 4.1. Remote Access.............................................................................................................. 10 4.2. Online Banking ............................................................................................................. 10 4.3. Telecommuting ............................................................................................................. 10 4.4. Client and Business Partner Extranet............................................................................ 11 4.5. eGovernment................................................................................................................. 11 4.6. 24x7 IT Infrastructure Support ..................................................................................... 11 4.7. Wireless Roaming......................................................................................................... 11 4.8. Desktop Logon.............................................................................................................. 11 4.9. Closed network ............................................................................................................. 12 5. Authentication Framework ................................................................................................... 13 5.1. Client Framework ......................................................................................................... 13 5.2. Provisioning and Management Framework.................................................................. 13 5.3. Validation Framework .................................................................................................. 14 5.4. Applications .................................................................................................................. 14 5.5. Authorization ................................................................................................................ 14 5.6. User Store...................................................................................................................... 14 5.7. Policy Store................................................................................................................... 14 5.8. Audit Store.................................................................................................................... 14 5.9. Authentication and Identity Sharing ............................................................................. 14 5.10. Risk evaluation and sharing...................................................................................... 15 6. OATH Reference Architecture ............................................................................................. 16 6.1. Client Framework ......................................................................................................... 16 6.1.1. High-Level Architecture ....................................................................................... 16 6.1.2. Salient Features..................................................................................................... 17 6.1.3. Authentication Methods........................................................................................ 18 6.1.4. Authentication Tokens.......................................................................................... 19 6.1.5. Token Interface ..................................................................................................... 20 6.1.6. Authentication Protocols....................................................................................... 21 6.2. Validation Framework .................................................................................................. 22 6.2.1. High-Level Architecture ....................................................................................... 22 6.2.2. Salient Features..................................................................................................... 24 6.2.3. Existing Standards and Technologies ................................................................... 25 6.2.4. OATH Focus Areas............................................................................................... 26 6.3. Risk evaluation and sharing framework ....................................................................... 26 6.3.1. High-level architecture.......................................................................................... 26 6.3.2. Salient features...................................................................................................... 27 6.3.3. Existing Standards and Technologies ................................................................... 28 6.3.4. OATH Focus Areas............................................................................................... 28 6.4. Provisioning and Management Framework.................................................................. 28 6.4.1. High-Level Architecture ....................................................................................... 29 OATH Reference Architecture, Release 2.0 3 6.4.2. Salient Features..................................................................................................... 30 6.4.3. Existing Standards and Technologies ................................................................... 31 6.4.4. OATH Focus Areas............................................................................................... 32 6.5. Common Data Model.................................................................................................... 33 6.5.1. Existing Standards and Technologies ................................................................... 33 6.5.2. OATH Focus Areas............................................................................................... 34 6.6. Authentication and Identity Sharing ............................................................................. 34 6.6.1. Authentication Sharing ......................................................................................... 35 6.6.2. Identity Sharing..................................................................................................... 38 6.6.3. Traditional Federated Identity............................................................................... 38 6.6.4. User-centric Identity Sharing................................................................................ 39 6.6.5. OATH Focus Areas............................................................................................... 40 7. Example Deployment Scenario............................................................................................. 41 8. Summary of OATH Focus Areas.......................................................................................... 44 9. References............................................................................................................................. 46 10. Contributing members ...................................................................................................... 49 OATH Reference Architecture, Release 2.0 4 1. Executive Summary This document specifies version 2.0 of the reference architecture for the Initiative for Open AuTHentication (OATH). The OATH Reference Architecture document describes a high-level technical framework for open authentication, as envisioned by the OATH member companies. The reference architecture is intended to explain OATH’s vision for authentication, as well as to provide a high-level technical roadmap for its work. The intended audience includes decision makers and technical architects from OATH member and nonmember companies, IT managers and architects from organizations that are considering deploying strong authentication solutions, and other standards organizations that share all, or part, of the OATH vision. The work has been driven by the following guiding principles: • Open and royalty-free specification - OATH intends to establish an open and royalty-free specification for strong authentication by leveraging existing open standards, where possible, and leading standardization efforts in well-established technical standards bodies where existing standards are not available. • Device innovation and embedding - OATH intends to specify components for low-cost, multi- function authentication devices (e.g.
Recommended publications
  • Blockchain and Digital Signatures for Digital Self-Sovereignty
    BLOCKCHAIN AND DIGITAL SIGNATURES FOR DIGITAL SELF-SOVEREIGNTY ____________________ A Thesis Presented to the Faculty of the Department of Computer Science University of Houston ____________________ In Partial Fulfillment of the Requirements for the Degree Masters of Science ____________________ By Brijesh B. Patel December 2018 BLOCKCHAIN AND DIGITAL SIGNATURES FOR DIGITAL SELF-SOVEREIGNTY ___________________________________________________ Brijesh B. Patel APPROVED: ___________________________________________________ Dr. Weidong Shi, Chairman Dept. of Computer Science ___________________________________________________ Dr. Nikolaos V. Tsekos Dept. of Computer Science ___________________________________________________ Dr. Chris Bronk Dept. of Information System Security ___________________________________________________ Dan Wells, Dean College of Natural Sciences and Mathematics II BLOCKCHAIN AND DIGITAL SIGNATURES FOR DIGITAL SELF-SOVEREIGNTY ____________________ An Abstract of a Thesis Presented to the Faculty of the Department of Computer Science University of Houston ____________________ In Partial Fulfillment of the Requirements for the Degree Masters of Science ____________________ By Brijesh B. Patel December 2018 III Abstract Principles of self-sovereignty have been integrated into the solution to achieve a mechanism where the user is in control of one's digital identity attributes. Through the use of attribute-based credentials, the solution presented here allows the user to control access to their digital identity attributes,
    [Show full text]
  • Multi-Factor Authentication Version: 1.0 Date: February 2017 Author: PCI Security Standards Council
    INFORMATION SUPPLEMENT Multi-Factor Authentication Version: 1.0 Date: February 2017 Author: PCI Security Standards Council INFORMATION SUPPLEMENT Guidance for Multi-Factor Authentication Table of Contents Overview ....................................................................................................................................................................1 MFA and PCI DSS .................................................................................................................................................1 Terminology ............................................................................................................................................................1 Authentication Factors ............................................................................................................................................2 Independence of Authentication Mechanisms ......................................................................................................2 Out-of-Band Authentication .....................................................................................................................................3 Cryptographic Tokens .............................................................................................................................................3 Protection of Authentication Factors .....................................................................................................................5 Multi-step vs. Multi-Factor .......................................................................................................................................5
    [Show full text]
  • Rsa Securid® Access Authenticator Choices Data Sheet
    DATA SHEET RSA SECURID® ACCESS AUTHENTICATOR CHOICES DATA SHEET When organizations have confidence their information is secure, they are empowered to use it to accelerate their business. Identity assurance creates confidence and extends user authentication from a single security measure to a continual trust model that is the basis of how an identity is used and what it can do. The RSA SecurID® authenticators are a key component of an organization’s identity assurance strategy. Trusted identities managed by RSA bring confidence to everyday transactions and support new business models providing secure access for employees, customers and partners while striking the right balance between risk, cost and convenience. One size does not fit all when it comes to choosing the right authenticator to balance your security, total cost of ownership and end-user security needs. With a broad range of easy-to-use form factors, there are RSA SecurID authenticators available to suit a wide variety of organization and application requirements. MOBILE MULTI-FACTOR AUTHENTICATION MADE EASY: Easily set up your users to use advanced mobile MFA options and allow them to use a single authenticator to access both on-premises and cloud applications on all the major mobile platforms. • RSA SecurID Authenticate App – ONE authenticator for all your authentication needs, on-premises or cloud applications for multiple clients (iOS, Android, MS Windows). • Push notification, biometrics (Fingerprint and Eyeprint), One-Time Password (OTP) are available for on-premises resources such as VPN and cloud applications such as Office 365. o Mobile multi-factor authenticators can be purchased by RSA SecurID® Access Enterprise and Premium Edition customers.
    [Show full text]
  • Authentication, Authorization and Accounting (AAA) Protocols
    Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian [email protected] A O T Agententechnologien in betrieblichen Anwendungen 10.06.2009 und der Telekommunikation Overview A O T Agententechnologien in der Telekommunikation - 2 TU Berlin Motivation (Why AAA?) Ö Telecommunications services are a global market worth over US$ 1.5 trillion in revenue. Home Entertainment Voice over IP (VoIP) Multimedia Conference Messaging/ Presence A O T Agententechnologien in der Telekommunikation - 3 TU Berlin Authentication (Who is [email protected]) Ö Authentication is the process of verifying user’s identity using credentials like username, password or certificates. Ö After the successful match of user’s authentication credentials with the credentials stored in the database of the service provider, the user is granted access to the network, otherwise the access is denied. A O T Agententechnologien in der Telekommunikation - 4 TU Berlin Authorization Ö Is the process of enforcing policies. It determines what types or qualities of network resources or specific services the user is permitted. Ö By using the access policy defined for a specific user, the service provider grants or rejects the access requests from the user. Ö Access policy could be applied on a per user or group basis. A O T Agententechnologien in der Telekommunikation - 5 TU Berlin Accounting Ö Is the process of keeping track of what the user is doing. Ö It includes: Amount of the time spent in the network (duration of session) Number of packets(or bytes) transmitted during a session. The accessed services during a session.
    [Show full text]
  • Multi-Factor Authentication Implementation Introduction IRS
    Multi-factor Authentication Implementation Introduction IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies (Pub 1075) requires that all access to federal tax information (FTI) occurs from agency-owned equipment. It also requires that any remote access has multi-factor authentication implemented. Remote access, defined by Pub 1075, is any access to an agency information system by a user communicating through an external network (i.e. the internet). These requirements are more important as agencies. looking to reduce costs, allow employees to work from home or telework. Multi-factor authentication drastically reduces the risk of identity theft and unauthorized disclosure of FTI. Multi-factor authentication decreases the probability that the requestor is not the person who he says he or she is. The number of factors is important, as it implies a higher probability that presenter of the identify evidence is who they claim to be. This document explains the different authentication factors and addresses the security requirements for implementing multi-factor authentication to meet the requirements of the Office of Safeguards. Mandatory Requirements This message discusses detailed requirements that must be applied when procuring or developing various multi-factor authentication implementations. An agency may choose to implement a system appropriate to its needs, but all requirements contained in this memorandum that pertain to that implementation must be fulfilled. Multi-factor authentication is required for “all remote network access to privileged and non-privileged accounts for information systems that receive, process, store or transmit FTI” (Pub 1075, Section 9.3.7.2, Identification and Authentication (Organizational Users) (IA-2)).
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: July 30, 2020 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: July 30, 2020 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant January 27, 2020 The TACACS+ Protocol draft-ietf-opsawg-tacacs-17 Abstract This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol which is widely deployed today to provide Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 30, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Dahm, et al. Expires July 30, 2020 [Page 1] Internet-Draft The TACACS+ Protocol January 2020 carefully, as they describe your rights and restrictions with respect to this document.
    [Show full text]
  • Cisco Products Quick Reference Guide December 2004
    Cisco SYSTEMS pII Cisco Product Quick Reference Guide December 2004 Table of Contents Introduction Routing Switching Wireless LAN Voice and IP Communications VPN and Security Content Networking Broadband and Dial Access Optical Networking lOS Software and Network Management 10 Storage Networking Cicro SYsTEr Cisco Products Quick Reference Guide December 2004 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 951 34-1706 USA http//wvvw.cisco.com Tel 408 526-4000 800 553-NETS 6387 Customer Order Number 78-5983-13 Text Part Number 78-5983-13 Gisco Products Quick Reference Guide Copyright 2005 Cisco Systems Inc All rights reserved Gener Discbimer Although Cisco has attempted to provide accurate information in this Guide Cisco assumes no responsibility for the accuracy of the information Cisco may change the programs or products mentioned at any time without prior notice Mention of non-Cisco products or services is for information purposes only and constitutes neither an endorsement nor recommendation of such products or services or of any company that develops or sells such products or services ALL INFORMATION PROVIDED ON THIS WEB SITE IS PROVIDED AS IS WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR PARTICULAR PURPOSE AND NONINFRJNGEMENT OR ARISING FROM COURSE OF DEALING USAGE OR TRADE PRACTICE CISCO AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY INDIRECT
    [Show full text]
  • Single Sign-On the Way It Should Be
    Single sign-on the way it should be 6 ways Citrix Workspace delivers seamless access to all apps while improving security and the user experience Contents Single sign-on (SSO) solutions .......................................................................3 Secure access to everything ...........................................................................5 Granular controls for SaaS apps and the web ...........................................6 Control over your user identity ......................................................................7 Security beyond user names and passwords ............................................8 Seamless integration with your existing environment ..........................9 Resolving issues faster with end-to-end visibility ............................... 10 ↑ Back← Pg. to 2 contents | Pg. 4 → Citrix.com 2 Single sign-on (SSO) solutions were designed to make life easier for employees and IT. They’re meant to reduce the cost of management and provide better security, all while delivering an improved user experience. However, many solutions fall short, covering only one type or a subset of application types. This forces you to implement several access solutions from different vendors to cover your entire application landscape — negating the productivity and user experience benefits you hoped for. The complexity this type of implementation creates also runs counter to the Zero Trust initiatives that many organizations are undertaking Citrix Workspace helps you unify all apps and data across your distributed IT architecture to provide single sign-on to all the applications and data people need to be productive. Working with your existing infrastructure, Citrix Access Control consolidates multiple remote access solutions, like traditional VPNs or SSO solutions, simplifying management for IT and providing unified access for employees. ↑ Back to contents ← Pg. 2 | Pg. 4 → 3 Citrix.com | e-book | Choosing a Single Sign-On Solution ↓ 6 benefits of the Citrix Workspace SSO solution ↑ ← Pg.
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: January 9, 2017 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: January 9, 2017 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant July 8, 2016 The TACACS+ Protocol draft-ietf-opsawg-tacacs-04 Abstract TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. This document describes the protocol that is used by TACACS+. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Dahm, et al. Expires January 9, 2017 [Page 1] Internet-Draft The TACACS+ Protocol July 2016 to this document.
    [Show full text]
  • Nexus Authentication Server Product Brief
    Nexus Authentication Server Product Brief Version: 1.2 Introduction Protecting your digital resources and services using only username and a static password as authentication method is not secure enough. Why? Passwords must be long and complex, to be less unsecure. Passwords must be changed frequently. Users often reuse the same password for different services. If a password for one service gets into the wrong hands, unauthorized people can not only get access to that service but also to a range of other services. Passwords can be easily stolen through social engineering. There is an endless range of methods, for example, convincing emails or spoofed websites where people are asked to share their username and password. And, a surprisingly large percentage of people do share their login information when asked to. Using multi-factor authentication from Nexus dramatically mitigates the risk of unauthorized people getting access to services and information. As part of Nexus Hybrid Access Gateway, the Authentication Server provides a unique solution for enabling trusted authentication, without the complexity of distributing and maintaining hardware security tokens. Using Nexus solution, organizations can empower their users with authentication technology that is easy to use, easy to manage, cost effective and secure, to enforce strong multi-factor authentication. Enable strong user authentication throughout the organization and customer base without the complexity of distributing hardware security tokens. What is multi-factor Authentication?
    [Show full text]
  • 7750 SR OS System Management Guide
    7750 SR OS System Management Guide Software Version: 7750 SR OS 10.0 R1 February 2012 Document Part Number: 93-0071-09-01 *93-0071-09-01* This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2012 Alcatel-Lucent Alcatel-Lucent. All rights reserved. Table of Contents Preface. .13 Getting Started Alcatel-Lucent 7750 SR Router Configuration Process . .17 Security Authentication, Authorization, and Accounting . .20 Authentication . .21 Local Authentication . .22 RADIUS Authentication . .22 TACACS+ Authentication. .25 Authorization . .26 Local Authorization. .27 RADIUS Authorization . .27 TACACS+ Authorization. .27 Accounting. .28 RADIUS Accounting . .28 TACACS+ Accounting . .28 Security Controls . .30 When a Server Does Not Respond . .30 Access Request Flow . .31 CPU Protection . .32 CPU Protection Extensions ETH-CFM . .36 Vendor-Specific Attributes (VSAs) . .38 Other Security Features . .39 Secure Shell (SSH) . .39 Per Peer CPM Queuing. .41 CPM Filters and Traffic Management . .42 TTL Security for BGP and LDP . .43 Exponential Login Backoff . .43 User Lockout . .45 Encryption . .46 802.1x Network Access Control . .46 TCP Enhanced Authentication Option. .46 Packet Formats . .48 Keychain. .49 Configuration Notes . .50 General . .50 Configuring Security with CLI . .51 Setting Up Security Attributes. .52 Configuring Authentication . .52 Configuring Authorization .
    [Show full text]
  • Two-Factor Authentication: Selecting and Implementing a Two-Factor
    DEGREE PROJECT IN COMPUTER ENGINEERING, FIRST CYCLE AND DEGREE PROJECT IN INFORMATION AND COMMUNICATION TECHNOLOGY, FIRST CYCLE STOCKHOLM, SWEDEN 2017 Two-Factor Authentication Selecting and implementing a two- factor authentication method for a digital assessment platform NIKLAS TELLINI and FREDRIK VARGAS KTH ROYAL INSTITUTE OF TECHNOLOGY INFORMATION AND COMMUNICATION TECHNOLOGY Two-Factor Authentication Selecting and implementing a two-factor authentication method for a Digital Assessment Platform Niklas Tellini and Fredrik Vargas 2017-05-31 Bachelor’s Thesis Examiner Gerald Q. Maguire Jr. Academic adviser Anders Västberg KTH Royal Institute of Technology School of Information and Communication Technology (ICT) Department of Communication Systems SE-100 44 Stockholm, Sweden Abstract | i Abstract Two-Factor Authentication (2FA) is a two-step verification process that aims to provide an additional layer of security by requiring the user to authenticate himself/herself using a secondary means (ownership factor or inheritance factor). Without the use of 2FA, an attacker could gain access to a person’s devices or accounts solely by knowing the victim’s password, while with 2FA knowing only this password is insufficient to pass the authentication check. In this project, we analyze different methods in which 2FA could be implemented by a Digital Assessment Platform. These platforms allow test assessments to be built directly into digital content; therefore, an important requirement of these systems is secure authentication. Moreover, it is important to securely protect teachers’ account in order to avoid unauthorized people gaining access to those accounts. We investigate how 2FA could be used to add an extra layer of security to teachers’ accounts, focusing on cost, user experience, ease of use, and deployment of the solution.
    [Show full text]