• No results found

Enterprise Identity Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Enterprise Identity Management"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

Enterprise

 

Identity Management

[email protected]

[email protected]

With i t f

With inputs from : 

IAM Course; Institute for Internet Technologies and  Applications, University of Applied Sciences, Rapperswil, Switzerland

(2)

Agenda

Agenda

IAM

 

topics and

 

concepts

Common technical approaches

Common

 

technical approaches

Security of

 

Internet

 

banking authentication

Enterprise Identity Management  (EIM) Electronic Identity Management  (IdM) 

Identity and Access Management (IAM) Identity and Access Management  (IAM)

(3)

Digital Identity

Digital

 

Identity

„On the Internet, nobody knows you‘re a dog“

31.5.2007 3

Cartoon by Peter Steiner, July 5, 1993 

The New Yorker (Vol. 69, No. 20)

(4)

This is why most businesses look like this

This is why most businesses look like this

(5)

IdM Three Perspectives

IdM

Three Perspectives

In the real world context of engineering online systems, identity management 

b i h i

can be given three perspectives:

• The pure identity paradigm ‐ creation, management and deletion of 

identities without regard to access or entitlements; 

• The user access (log‐on) paradigm ‐ a smart card and its associated data 

that a customer uses to logg on to a service or services (a(  traditional view);); 

• The service paradigm ‐ a system that delivers personalized, role‐based, 

online, on‐demand, multimedia (content), presence‐based services to users 

and their devices. and their devices. 

http://www wikipedia org/

31.5.2007 sitic 5

(6)

IAM Process Framework

IAM

 

Process Framework

User access Service Identity

AM:  Access Model WM Workflow Model WM:  Workflow Model IM:  Identity Model

(7)

Generalized Access

 

Control System

 

Scheme

(4

 

A

 

System)

System to 

create policy sets

System to create identity and 

authentication information Administration Identity  Information  Policy  Information  Administration

Store (ID/PW) Store (R/W/E)

Authentication Authorization Authentication decision Access decision Audit Log • administration activities f l f il d l i ( th ti ti ) Auditing

Source: Ant Allen, "A Functional 

Model Aids Understanding of 

Identity and Access Management 

31.5.2007 7

• successful, failed logins (authentication) • accesses (authorization)

y g

Tools", Gartner Group Research 

Report ID Number G00130381, 15 

(8)

Gartner IAM Hype Cycle (June 2006)

Gartner IAM

 

Hype Cycle (June 2006)

(9)

some Wikipedia definitions

some Wikipedia definitions

Active Directory is an implementation of LDAP directory services by

Active Directory is an implementation of LDAP directory services by 

Microsoft for use primarily in Windows environments

basic authentication scheme is a method designed to allow a web 

browser or other client program to provide credentials – in the form of a

browser, or other client program, to provide credentials  in the form of a 

user name and password – when making a request.

Federation is a new approach, …, which uses standards‐based protocols to 

enable one applicationpp  to assert the identityy of a user to another..

Kerberos is a popular mechanism for applications to externalize 

authentication entirely…

Singleg  signg ‐on (SSO)( ) is a specializedp  form of software authentication that 

enables a user to authenticate once and gain access to the resources of 

multiple software systems…

Security Assertion Markup Language (SAML) is an XML standard for 

h i h i i d h i i d b i

exchanging authentication and authorization data between security 

domains..

http://www wikipedia org/

31.5.2007 sitic 9

(10)
(11)

Windows AD

Windows

 

AD

Srv DC Srv Srv Client Client DC Client Client 31.5.2007 sitic 11

(12)

Windows AD based authentication 

(KERBEROS setup)

User Client DC Target

(KERBEROS)

PW

Ticket Granting Ticket (TGT)

TGT

Ticket

(13)

Windows Smart Card LogOn

Windows

 

Smart

 

Card

 

LogOn

PIN DC Client PIN C tifi t Certificate Kerberos KDC EPK[TGT] Certificate TGT Certificate AD user cert .... .... .... .... 31.5.2007 sitic 13

(14)

Web based SSO

Web

 

based SSO

Srv Client Srv Client Srv Srv

(15)

HTTP Basic Authentication

HTTP

 

Basic

 

Authentication

Client Server • Basic

• NTLM

GET / • Digest

HTTP/1.1 401 Unauthorized

WWW‐authenticate: Basic realm=„MyServer"

WWW Client GET / Authorization: Basic QWxhZGRpbjpv WWW Client WWW Server Authorization: Basic QWxhZGRpbjpv base64 Show Document t t 31.5.2007 15

RFC 2617 ‐HTTP Authentication: Basic and Digest Access Authentication, June 1999.

(16)

Secure Entry Server (Gateway) setup

Secure Entry Server (Gateway) setup

Srv Srv SES Srv S Client Srv Srv Login Srv Srv

(17)

SSL Client Certificate Authentication

SSL Client Certificate Authentication

User client web server auth srv

https://…….

Client certificate request (challenge)

PIN PIN

Retrieve secret key Sign challenge response Check signature Retrieve user Check user 31.5.2007 17 Check user sitic

(18)

SECURE INTERNET

 

BANKING

AUTHENTICATION

(19)

Attacks to be considered

Attacks

 

to

 

be

 

considered

Fake Login

Theft of

 

credentials

Fake Transactions

• Session

 

hijacking

Phishing

 

(passive)

M

i

t

M (Phishing

j

g

• Session

 

riding (html)

• Trojans

M

i

t

M

 

(Phishing

 

active)

Trojans

• Trojans

Trojans

31.5.2007 sitic 19

(20)

One

Time

Password: Scratch list

One Time Password:

 

Scratch

 

list

Scratch list

Scratch

 

list

Client

 

uses

 

next

 

password

widely used in Telebanking

Scratch list

7563 1329 2009

widely

 

used

 

in

 

Telebanking

Sent

 

to

 

user

 

over

 

independent channel

1223 1569 0909 7443 1432 2333 2673 1667 1414

independent

 

channel

Created

 

„randomly“

2673 1667 1414 7823 3489 .... In use: 

(21)

Challenge Response: Grid Card

(

i

)

(Matrix‐Karte)

Grid card

Grid card

Grid

 

card

Client

 

answers

 

with

 

password

 

upon

 

Grid card 01 751163 11 132329 21 205609 02 122433 12 154669 22 093109

p

p

password

 

number

 

request

02 122433 12 154669 22 093109 03 744293 13 149832 23 112333 04 267213 14 166657 24 122414

used

 

in

 

Telebanking

Sent

 

to

 

user

 

over

 

....  .... ....

independent

 

channel

Created

 

„randomly“

In use: 

‐ Zürcher Kantonalbank

‐ Banque Cantonale Vaudoise

31.5.2007 21

Banque Cantonale Vaudoise

(22)

Traditional Token Examples

Traditional

 

Token

 

Examples

Physical Devices

Physical

 

Devices

Locks

T

/C d

Tags/Cards

 

(may

 

be

 

contactless)

Special computers

Special

 

computers

Mobile

 

phones

 

(SMS)

(23)

SMS Authentication

SMS‐Authentication

http://www postbank de http://www.postbank.de Announced by:  ZKB ‐ ZKB ‐ Raiffeisen Contract PIN

mobile user client server

Contract, PIN

mTAN

mTAN

(24)

axsionics

axsionics

• Fingerprint reader

• Flickering interfaceFlickering interface

• Large display

• Optional card reader

User token client server

challenge challenge

finger response

(25)

EMV CAP

(Card Authentication Protocol)

• Karte wird ins PCR gesteckt

• PCR fragt nach Challenge, Bankenhost generiert 

Challenge

• Challenge wird ins PCR eingetippt • PCR fragt nach Karten‐PIN

• PIN wird ins offline PCR eingetippt

• Wenn die PIN korrekt ist, generiert der Chip ein 

„One Time“ Passwort

B k h h ifi i O Ti “ P

• Bankenhost authentifiziert „One Time“ Passwort

Promoted by:  ‐ Telekurs

(26)

One‐Time‐Password: Dynamic Password 

Generator

Number

 

changes

 

every 60 seconds

every

 

60

 

seconds

Time

 

sync

 

allows

 

typically 3 possible

typically

 

3

 

possible

 

codes

 

(3

 

min

 

interval)

Security discussion

Security

 

discussion

 

Dec

 

2001

 

due

 

to

 

claimed emulation

claimed

 

emulation

 

program

(27)

Challenge Response Tools

Challenge

 

Response

 

Tools

• SW:

• SW:

– S/Key

• HW:

• HW:

– RSA SecureID

– Vasco Digipass Token

Vasco Digipass Token

– ..

In use: 

‐ UBS Telebanking

‐ Migrosbank Smart Card

(28)

A Classification of measures

A

 

Classification of measures

To

 

protect Login

Static

– Password / PIN

User token server

PW

Dynamic

– Scratch list, matrix card PIN

Code

Code – Token „autonomous“

– Token Challenge / Response

– SMS token /Axsionics Code SMS token /Axsionics

SSL

 

certificate

– Hard

To

 

protect Transactions

• Secure session management

a d

– Soft 

g

• autonomous code (TAN)

• Transaction based code

(29)

The Evaluation

The Evaluation

Login focus Transaction focus

staticdynamic SSL cert staticdynamic SSL cert o rd  list Toke n ken ke n   mgmt to A N ec pa ssw o Sc ra tc h au to n .   T C/ R   to k SM S   to ha rd sof t se ssi on TA N   au Xa ct   TA Cl ie n t   S l i login theft of credentials phishing passive M‐i‐t‐M Trojans Transactions session hijack session riding (html) 31.5.2007 sitic 29 session riding (html) Trojans

(30)

http://iam‐wiki.org/Home http://www.wikipedia.org

htt // l b h

http://www.cnlab.ch

http://www.cnlab.ch/en/documents.html

References

Download now ( PDF - 30 Page - 706.53 KB )

Related documents

The Distribution and Measurement of Inflation

(For example, the 100 per cent trim centred at the 52 nd percentile measures the price change of the component ranked at the 52 nd percentile in the distribution.) To anticipate

Posted work: informality and social regulation

Inversely to posted workers, many former Portuguese migrants established in France work today in construction companies with French contracts corresponding to traditional

[MS-NTHT-Diff]: NTLM Over HTTP Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

If the server accepts this authentication data from the client, it responds with an HTTP 401 code (for more information, see [RFC2616] section 10.2) and a WWW-Authenticate header

Ericsson RBS Document

#c!ma ran troubleshooting e<ercises using moshell

1995, Walter Mignolo the Darker Side of the Renaissance Literacy, Territoriality, And Colonization

at ti,e same time literacy campaigns to integrate me already marginal Amerindian population in a liberal society, shows tile double bind of ti,e Creole mentality in societies

Twilight, True Love and You : a Bibliotherapy Approach to Preventing Dating Abuse in Adolescent Girls.

Measures were completed at baseline and follow-up (eight weeks) and included indicators of agreement with romantic myths, knowledge of warning signs, violent-tolerant

BENFORD\u27S LAW AND FINANCIAL STATEMENT OF SLOVENIAN ORGANIZATIONS

Na podlagi izvedbe analize Benfordovega zakona na podatkih v računovodskih izkazih za vsa testirana obdobja, kjer smo ugotovili največje odstopanje izvedbe testa prve števke pri

Plant diversity, physiology, and function in the face of global change

Given our findings, it is important to more comprehensively quantify biodiversity and shifts in multiple dimensions of diversity with environmental change, as solely