Embed Size (px)
Citation preview
Trusted Systems Laboratory Trusted Systems Laboratory Hewlett-Packard Laboratories Hewlett-Packard Laboratories Bristol, UKBristol, UK
InfraSec 2002InfraSec 2002Bristol,Bristol, 01-03 October 200201-03 October 2002
Marco Casassa MontMarco Casassa MontRichard BrownRichard Brown
[email protected][email protected][email protected][email protected]
Active Digital Credentials:Active Digital Credentials:Dynamic Provision ofDynamic Provision of
Up-to-DateUp-to-DateIdentity InformationIdentity Information
Outline• Problem: Provision of Up-to-Date Certified Information in Dynamic Environments
• Limitations of Current Solutions
• Proposed Model: Active Digital Credentials
• Discussion
• Conclusions
Trends• Increase of e-Commerce, B2B and Government Transactions and Interactions on the Internet
• E-Commerce Initiatives Aiming at Enhancing and Simplifying Customer Experiences (MS Passport, Liberty Alliance)
• Usage of PKI and Digital Certificates to underpin Government and Business Initiatives
• Increase of the Number of Interactions with a Lack of Prior Knowledge about the Involved Parties
Identities and Profiles are Key Enablers
of Interactions and Transactions on the
Internet for E-commerce, Enterprises,
Social Purposes and with Government
Institutions
Role of Digital Identitiesand Profiles
Problems• Trustworthiness of the Involved Parties
• Authenticity of Identity and Profile Information
• Provision of Valid and Up-to-Date Identity and Profile Information
Focus of this Work
Provision of Up-to-Date Certified Identity and Profile Information in Dynamic Environments:
- dynamic changes of financial profile, reputation, rating, etc. depending on transactions, interactions, etc. - dependency on contextual information
- …
Digital Credentials and Public Key Infrastructures
• Digital Credentials: Viable Way to Supply Certified Information.
• PK Infrastructures Provide Mechanisms for Verification of Validity and Trustworthiness of the Involved Parties• Support for Lifecycle Management of Credentials
Classic X.509 PKICertification Authority (Credential Issuer)
Credential OwnerRelying Parties
Issuance
Disclosure
LifecycleManagement
Request
Interpretation
TrustedInformationProviders
Verification
X.509 PKI• Certification Authority (CA) must Assess the Validity and Trustworthiness of the Information to be Certified
• Reliance on CAs for the Provision of Accountable Lifecycle Management of Digital Certificates (including keeping Certificate Revocation Lists - CRLs - up-to-date)
• Relying Parties must check the validity of Digital Credentials (CRLs, OCSP Responders, etc.)
X.509 PKI• Complexity of Dealing with Trust Assessment and Validation of Digital Certificates (CA chains)
• Scalability Problem of Certification Chains
• Problem of supplying Certified Information in case of Dynamic Contexts:
- validity of certified information - accuracy of certified information - trustworthiness of certified information
Current Approach for X.509 PKI
X.509 Attribute Certificate
Signature
X.509 Identity Certificate
IssuerDNSerial NumberCredit card: …Expiration: …
CERTIFICATE
Separation of “Duties”:
• X.509 Identity Certificate: “medium-term” certified Information• X.509 Attribute Certificate: “short-term” certified Information
Issues• X.509 Identity and Attribute Certificates contain a Snapshot of the certified Information, at the Issuance Time
• Short term expiration dates, frequent revocations and Proliferation of Certificates create Complexity and Confusion
• The whole certificate must be Revoked even if only a subset of the Information contained in a Certificate is not valid anymore
The off-line usage of Identity and Attribute Certificates is a myth! Relying Parties must verify (on-line) the validity of Certificates (by accessing CRLs, OCSP, etc.)
• Certification Authorities should check for the Validity of the Certified Information at the Source of this Information and Update CRLs
Issues
• Alternative PK Approaches (SPKI, etc.) based on Certificates have the same Problem.
• Alternative Approaches based on on-the-fly Assertion of Identity and Profile Information (for example SAML) only provide a Certified Snapshot of this Information.
Our Proposal:
Active Digital Credentials
Active Digital Credential
Objectives:
It is a Certified Collection of Attributes along with Embedded Mechanisms to Retrieve and Calculate Attributes’ Values by Executing Local Computation
• Cope with Dynamic Identity and Profile Information (financial, trust, rating, etc.)
• Provision of Up-to-Date Certified Information and
Added-value Aggregation of this Information
• Address the Complexity of Current Lifecycle Management by Reducing the need for Certificate Revocation
Active Digital CredentialModel
• Extension of Current Digital Certificate Model, by adding Dynamic Computational Aspects
• Described in the Context of the X.509 PKI Context (but not limited to the X.509 Model)
• Work in progress …
LocalLocalProcessingProcessing
Bank
Enterprise
Government
Attribute Name
Attribute Value
Validity/
Trust
Credit Limit
Credit
Rating
Location
…
AttributesAttributes
Active Digital Credential
Local/RemoteInteractions
Active Digital Credential
Attribute 1
Attribute n
Attribute Properties
Trustworthiness
…..
…..
…..
Function 1Value
Function 2
Function j
Function k
Function 3
Value
Trustworthiness
Attribute Properties
…..
Function x
Function y
Global Trust Attribute
Validity Attribute…..
Payload
Trust Info &Signature
Signature
EXTERNAL
SOURCES
Code
Active Digital Credential
ActiveDigitalCredential
TrustedInformationProviders
Credential IssuerCredential OwnerRelying Parties
Dynamic Content Provision
Issuance
Disclosure
LifecycleManagement
Model
Request
Interpretation
Embedded Code
Local Processing
Active Digital Credentials:Properties
Embedded Code
Provides Dynamic and Fine-Grained Evaluation of:
• Values of Credential Attributes• Validity and Trustworthiness of these Attributes• Validity and Trustworthiness of the Whole Digital Credential
Local Elaboration
Allows:
• Aggregation of Multiple Attribute Values • Correlation of Information Fetched from Heterogeneous Sources
Active Digital Credentials:Properties
• The Validity and Trustworthiness of an Active Credentials and any of its Attributes does not need to be Binary (Valid, Not Valid). Fuzziness is allowed.
• Some of the Credential Attributes Might Not be Valid Anymore, but this Does Not Necessarily Compromise the Validity of the Entire Credential and the other Attributes
• Embedded Functions can be used to Implement Fine-Grained Decaying Credentials, depending on the Time Factor
Active Digital Credentials:Properties
• Attributes Values can be disclosed only at the Interpretation Phase, after “Trust Establishment” between the Relying Party and the Information Provider. Privacy Management.
• Identity Certificates of Trusted Information Providers can be Embedded, for Security Reasons
CredentialIssuer
CredentialIssuance
InformationProviders
CredentialOwner
RelyingParty
Trust Relationships
CredentialContentFetching
CredentialDisclosure
ActiveCredential
DigitalCredentialsLifecycle management1
2
3
ActiveCredential
Trust Relationships
Scenario 1: Consumer-Service Provider
Scenario 2:Federated Identity Management
CredentialIssuer
CredentialIssuanceCredential
Owner
RelyingParty
Trust Relationships
DigitalCredentialsLifecycle management
ActiveCredentials
IdentityProviders Active
Credentials
Trust Relationships
Trust Relationships
InformationProviders
1
2
34
Credential Owner
• Need to Trust a Credential Issuer (as for traditional PKI …)
• Might have to make the Credential Issuer aware of the Relevant Information Providers
• Can decide which Information can be Accessed by the Credentials
• Can set Access Control Policies (at the Information Provider site) on this Information
• Some of this Policies can be set by other Parties (Enterprise, Government, etc.)
Credential Issuer (CA)
•Responsible for Assessing:
• Correctness of the embedded functions (it might write them)• Trustworthiness of the Information Providers • Trustworthiness of the Users that request Credentials
• It Must be Accountable (need for Auditing Mechanisms)
• Responsible for Active Credentials’ Lifecycle Management
• It Needs to Establish Trust Relationships with Information Providers
Relying Party• Need to Trust Credential Issuers
(as for traditional PKI …)
• Uses the Added-Value Information (fine-grained trust and
validity evaluation for attributes and the overall credentials,
aggregated information, etc.) provided by the Interpretation
of Active Credentials to Draw his/her Own Conclusions
• Relies on the Correctness of the Embedded Functions and Makes use of an Extended Infrastructure to Verify and
Execute Active Digital Credentials
Active Digital CredentialInterpretation Infrastructure
Communication Mechanisms
Validation &Verification Authorization Logging
LocalSystem
Context
Credential Interpreter
API
Applications &Services
Secure Interpretation Environment, Based on Virtual Machines
Security Considerations
Communication Mechanisms
Validation &Verification Authorization Log
LocalSystem
Context
Credential Interpreter
API
Applications &Services
Relying Party Information Providers/Credential Issuers
InformationService
- Check the Identity of Remote Parties Against List of Trusted Identity Certificates Embedded in the Active Digital Credential- Check Signatures of the Inputs Received by Information Providers
Security Considerations
Communication Mechanisms
Validation &Verification Authorization Log
LocalSystem
Context
Credential Interpreter
API
Applications &Services
Relying Party Information Providers/Credential Issuers
InformationService
- Check Identity of Remote Party- Check the Requests sent by Active Credentials Functions (such as ref. numbers, Credential Digest, etc.) against policies (set by the Credential Owner, etc.)- Digitally Sign (and Encrypt) the Disclosed Information
Security Considerations
Communication Mechanisms
Validation &Verification Authorization Log
LocalSystem
Context
Credential Interpreter
API
Applications &Services
Relying Party Information Providers/Credential Issuers
InformationService
Secure, Encrypted Channel (SSL …)
Discussion• Active Digital Credentials Depend on On-line Interactions with Third Parties. The Availability of a Communication Infrastructure might be a Potential Issue (but similar problem exists for traditional credentials …)
• More Flexibility and Reduced Dependency on Changes of the Certified Information. Does it Really Imply a Simplified Credential Lifecycle Management?
• Active Digital Credentials can help Credentials’ Owners to Explicitly Control the Disclosures of their Information
Discussion
• The Technology Necessary to Build Active Digital Credentials is Available, especially in term of Security (secure channels, encryption, signatures, etc.)
• Requires Trust and Reliance on Credential Issuers and Information Providers. Auditing Mechanisms are
necessary to underpin Accountability. We extend the PKI Model, but we Do Not Change the Underlying Trust Model.
Current and Future Work
• Build a Working Prototype in a Realistic Environment (such as Federated Identity Management)
• Explore, for Real, the Feasibility of the Proposed Model
• Investigate the Implications in term of Life-cycle Management (especially for the Embedded Code)
Conclusions• The Provision of Up-to-Date Certified Information is an Issue in case of Dynamic Environment. Traditional PKI has Limitations, due to the Static Nature of Digital Certificates
• Active Digital Credential Model: Embedding Certified Code within Digital Credentials for Retrieval, Processing, Aggregation and Evaluation of Identity and Profile Information
• Potential Advantages in term of Flexibility and Longevity of Active Digital Credentials
• Work in Progress …
