Top 3 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove

1. SESSION CODE: SIA305 Top 3 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove Christian Paquin Senior Program Manager Microsoft Corporation

2. Identity landscape • More and more business/government servicesare migrated online • Improves convenience • Reduces costs • High-value transactions require high-level of identity assurance • Usernames/passwords are ubiquitous, but provide low-security (NIST’s LoA) • Conventional “enterprise” solutions (e.g., Kerberos, PKI) don’t scale or are not flexible enough for an internet-wide system • How can you show some ID online, just like in real life?

3. Identity federation • Most popular proposed architecture • Very flexible • Easy to deploy • Many protocols: WS-Federation/Trust, SAML,Information Cards, OpenID, OAuth, … • But many challenges • Security • Privacy • Scalability

4. Federated architecture Identity Provider (IdP) Relying Party (RP) trust STS 4. Token response 3. Tokenrequest 1. Request access 2. Policy 5. Token Client

5. Challenge #1: Security • Compromise IdP credential, access all RPs • Phishing problem • Strong authentication to IdP is possible, but authentication to RP is weaker • Issued tokens are software only (token hijacking attacks, transferability) • IdP is all powerful • IdP (insider, malicious code) can surreptitiously act on the users’ behalf • Selectively deny access

6. Challenge #2: Privacy • IdP can profile user’s activities • Even if IdP doesn’t learn the visited RP, profiling is possible by colluding parties (or insiders) • Timing correlation • Unique correlation handles (e.g., digital signatures, serial numbers, etc.)

7. Challenge #3: Scalability • All tokens are retrieved on-demand • IdP must be available 24/7 • IdP is a central point of failure • Nice target for denial of service attack • IdP is a bottleneck for every user access

8. U-Prove technology

9. U-Prove Technology • Crypto technology combining the security of PKI with the flexibility of federation, providing privacy-by-design • Can be used to build various types of electronic credentials and entitlement documents • Has unique security, privacy, and efficiency benefits over “conventional” crypto tokens (X.509 certificates, SAML assertions, Kerberos tickets)

10. What’s new? Minimal disclosure! • U-Prove tokens contain no inescapable correlation handles • Token issuance and presentation are unlinkable • Think “coins” vs. “bills” • Users can disclose a subset of the encoded claims • To respond to unanticipated requests of RPs • Without invalidating the token integrity

11. Name: Alice Smith Address: 1234 Pine, Seattle, WA Over-21:true Minimal disclosure illustrated This is an animated slide Gov Name: Alice SmithAddress: 1234 Pine, Seattle, WAOver-21.:true CohoWinery

12. Name: Alice Smith Address: 1234 Pine, Seattle, WA Over-21:true Minimal disclosure illustrated This is an animated slide Gov Which adult from WA is this? ? Prove that you are over 21 and from WA Coho Winery

13. Underlying crypto • Based on the Brands protocols • 30+ papers (from ‘93 onward) • Evolution of PKI • MIT Press book, foreword by Ron Rivest • Issuance uses a “restrictive blind signature” • Issuer knows the attributes, but never sees the resulting public key and signature on tokens • Presentation uses a proof of knowledge • Prove a secret without leaking any info about it • Generalization of the Schnorr protocol

14. U-Prove V1.0 token details

15. Federation + U-Prove IP IP Identity Provider Relying Party trust STS B. Token response A. Tokenrequest 1. Request access 2. Policy 3. Token Client

16. Unimplemented U-Prove features • Device-protected tokens • Privacy-preserving revocation • Proving attribute properties • Limited-use tokens • Zero-knowledge token presentation • Censoring of token presentation • Hiding the Issuer’s identity • Token recertification and updating • Verifiable attribute encryption

17. Key markets • E-Government (citizen identities) • E-Health (health record management) • Cloud computing (“don’t trust us” cloud providers) • Document signing (with minimal disclosure) • Advertising (privacy-respecting ad platform) • E-Cash • Social Networking • Document signing

18. Challenges, and how U-Prove helps One technology to meet the desired levels of security, privacy, and scalability Security Software Shared Hardware Privacy Anonymity Pseudonymity Full identification Scalability Offline Mixed Online

19. U-Prove CTP

20. U-Prove Community Technology Preview • Specifications (released under Open Specification Promise) • U-Prove crypto specification (addressing feature subset) • Integration into the ID metasystem specification • Open-source crypto SDKs (implementing crypto spec) • Posted on Code Gallery, under the BSD license • C# and Java versions • Integration with Microsoft products • Modified version of Windows CardSpace 2.0 • Extension to the Windows Identity Foundation • Modified version of Active Directory Federation Services 2.0 http://www.microsoft.com/u-prove

21. Integration with Microsoft products • Windows Identity Foundation • U-Prove issuer key management • U-Prove aware STS for IdP • U-Prove token handler for RP • Active Directory Federation Services 2.0 • IP-STS • RP-STS • Windows CardSpace 2.0 • U-Prove aware information card • Retrieve, store, and present U-Prove tokens

22. Fraunhofer FOKUS / Microsoft demo Secure and privacy-protecting student information card derived from German eID card VIDEO

23. Demo architecture OKS Registration E-Book Active Directory Federation Services 2.0 OKS Feedback 2. Prove registered student, view e-book online 1. Register online, get student information card 3. Leave anonymous feedback German nPA card Windows CardSpace 2.0

24. Configuring WIF to use U-Prove Register the U-Prove WIF Extension in the application web.config <compilation> <assemblies> … <add assembly="Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </assemblies> </compilation> … <microsoft.identityModel> <service> <serviceCertificate>…</serviceCertificate> <securityTokenHandlers> <add type="Microsoft.IdentityModel.UProve.Tokens.UProve.PresentationTokenHandler, Microsoft.IdentityModel.UProve, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <issuerParametersStore type="SampleIssuerParametersStore, UProveUtil, Version=1.0.0.0, Culture=neutral" /> </add> </securityTokenHandlers> <audienceUris>…</audienceUris> </service> </microsoft.identityModel>

25. Configuring AD FS 2.0 to use U-Prove Use PowerShell to setup the server # Enable the EveryoneScope Enable-ADFSRelyingPartyTrust -TargetNameEveryoneScope # Adjust the lifetime of issued U-Prove tokens # Set-ADFSRelyingPartyTrust -TargetNameEveryoneScope -TokenLifetime 11520 # Adjust the number of U-Prove tokens issued # Set-ADFSProperties -DisconnectedTokenCount 25 # Generate Issuer parameters and private key (valid for 5 years) Set-ADFSIssuanceParameters -Lifetime 1825.00:00:00.00 # Export signed Issuer parameters $ipLocation = "c:\users\public\issuance.xml" Export-ADFSIssuanceParameters -Path c:\issuerparams.xml # Update the information card to support for U-Prove tokens Update-ADFSInformationCard

26. Questions?

27. U-Prove Resources • Videos: • Scott Charney’sRSA announcement: http://www.rsaconference.com/2010/usa/recordings/keynote-catalog.htm • Intro:http://channel9.msdn.com/shows/Identity/Announcing-Microsofts-U-Prove-Community-Technical-Preview-CTP • Technology overview:http://edge.technet.com/Media/Learn-what-Microsofts-U-Prove-release-is-all-about • U-Prove Community Technology Preview: • Download location: http://www.microsoft.com/u-prove • Developer video: http://channel9.msdn.com/shows/Identity/U-Prove-CTP-a-developers-perspective/

28. Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provide more secure, always-on access • Enable access from virtually any device • Control access across organizations • Provide standards-based interoperability • Extend powerful self-service capabilities to users • Automate and simplify management tasks

29. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

30. Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

31. Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial

32. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

33. Required Slide Complete an evaluation on CommNet and enter to win!

34. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

35. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.