ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authentication technologies

Harmonizing Identity and Privacy in Digital Identity and Authentication technologies

Simon BlanchetInformation Security & Risk Team Leader - Application Security

{Undisclosed} Private Bank

Who Am I?

� Simon Blanchet, CISSP

� 11+ years in Information System Security Security

� Security / Cryptographic Software Developer

� Information Security Professional (Application / � Information Security Professional (Application /

Software Security) in Private Banking

� Hooked: Computers, BBSes, “hacking scene”

� Computer Science

� Passionate about Cryptology (Classical, Applied) &

Software (In)Security27.10.2011 2Application Security Forum - Western Switzerland - 2011

Who Am I?

� Crypto / Security Software Developer

� Secure Email Solution (X.509, OpenSSL, MS CAPI, …)

� Meta-IDS built on OpenBSD (aggregation, correlation)

� Digital Credential initial PoC / SDK � Digital Credential initial PoC / SDK

� Information Security Professional (Swiss Banking)

� Application Security Architect (PKI, AAA, libs (authn, crypto), …)

� Smartcard Programming & Integration (PKCS11, APDUS)

� Application Security Team Lead – Private Bank

� Software Security, ARA, Threat Modeling, Security Testing

27.10.2011 3Application Security Forum - Western Switzerland - 2011

Who Am I?

� Fun facts:

� Own (too) many books on Cryptology and Brewing

� Some of which are signed by the author with dedication

� Foodies, Beer aficionado

� Urban travelers, love languages

27.10.2011 4Application Security Forum - Western Switzerland - 2011

Agenda

� What this talk IS about / What this talk is NOT about

� Authentication & Privacy

� Identity Meta System (IdP, RP, Subject / Principal, …)

� PKI, X.509, Case Study: SSL mutual authentication

� Introducing the Laws of Identity

� Some issues with current authentication schemes

� Introducing Elementary Cryptographic Primitives

� Introducing Digital Credential

27.10.2011 Application Security Forum - Western Switzerland - 2011 5

What this talk IS about

� Digital Identity

� Authentication

� Digital Privacy in the authentication world

� Identity Provider, Relying Parties, Subject� Identity Provider, Relying Parties, Subject

� Limitations of current implementations

� Elementary cryptographic primitives

� RSA, Digital Signature, Discrete Logarithms, ZKIP, Blind Signature, Selective Disclosure, …


What this talk is NOT about

� Anonymous browsing

� MIX networks / Onion Routing

� Hiding identity at the network level

� Political statement / Privacy evangelism� Political statement / Privacy evangelism


Authentication & Privacy

Definition, means, why, conflicting /

diametrically opposed concepts?

Security vs Privacy debate


Identification & Authentication

� Identification

� Act or process of identifying somebody or something or of being

identified. So, it’s an act or process of showing who somebody is.

� Act of claiming an identity, where an identity is a set of one or

more signs signifying a distinct entity.more signs signifying a distinct entity.

� Authentication

� Act or process of proving something to be valid, genuine or true

about someone’s identity.

� Act of verifying that identity, where a verification consists in

establishing, to the satisfaction of the verifier, that the sign

signifies the entity.


Identification vs Authentication

� Identification

� Ex: “Hi I’m Simon”, “Hi I’m the owner of this car”

� Authentication

� Ex: “Hi I’m Simon, here’s my passport”� Ex: “Hi I’m Simon, here’s my passport”

� Something I own � Passport

� Ex: “Hi I’m Simon, here’s my passport and let me sign

this piece of paper”

� Something I own � Passport

� Something I am � My signature


Authentication (1/2)

� Authentication factors

� Knowledge � Something you know

� Ex: Password, Pin code, Passphrase, answer to a special ?

� Ownership � Something you ownOwnership Something you own

� Ex: Security Token, Cell phone, Private Key associated to a cert

� Inherence � Something you do or are

� Ex: Fingerprint, voice, retina (think biometrics)

� Multi-factor Authentication

� Any combination of more than one of the above…


Authentication (2/2)

� SSL Mutual Authentication

� Public Key Digital Signature (more on this later…)

� Hardware / Security Token

� Shared Secret Key Authentication

� OTP based on Shared Secret + Time� OTP based on Shared Secret + Time

� OTP based on Shared Secret + Counter

� OTP based on Shared Secret + Challenge

� The minimum requirement of any token is at least an inherent

unique identity…

� OpenID / SAML / …


Privacy

� Ability of a person to control the availability of

information about and exposure of himself or

herself. It is related to being able to function in

society anonymously (including society anonymously (including

pseudonymous or blind credential

identification)


Anonymity / Pseudonymity

� Anonymity

� No information linking an identifier to its entity

� Identity that is not bound or linked to an entity

� Obscuring the identity of an entity� Obscuring the identity of an entity

� Pseudonymity

� Pseudonym is a fictitious identifier which is not

immediately associated to an entity

� Ex: Pen names, Nicknames, …

� Linking & Tracking possible, pseudo revealed: Game Over


Security vs Privacy

� Is this a real dilemma?

� Conflicting / diametrically opposed concepts?

� We hear a lot about trading your Privacy to

increase your Security in airport securityincrease your Security in airport security

� Full-Body Scanners anyone?


Security vs Privacy

� Post 9/11

� How much privacy are you willing to give up for security?

� Security or Privacy?

� Fundamental dichotomy? � NOT really…� Fundamental dichotomy? � NOT really…

� Security affects Privacy when it's based on identity

� Real question: Liberty versus Control

� Quoting Benjamin Franklin:� "Those who would give up essential liberty to purchase a little

temporary safety, deserve neither liberty nor safety."


Identity Meta System

� IdP - Identity Provider

� Issues digital identity

� Ex: CA for X.509 Digital Certificate

� RP - Relying Parties� RP - Relying Parties

� Requires identity / Trust IdP

� Ex: Mutual SSL authn protected web server

� S / P – Subject / Principal

� Entities about whom claims are made

� Ex: Individual owning a cert & its associated private key


PKI

� IdP is the Certification Authority (CA)

IdP

AuthenticateValidate CSRIssue Cert Cryptographic

binding Identity + Public Key


Subject

RP

Keep Private KeySign(Attrib + Pub Key) � CSR

Access Request

Certificate + Proof of possession private key

Case Study

SSL Mutual Authentication



� Common Trusted IdP (CA) between RP & S

� CA issues a digital certificate to Subject

� Client-side key pair generation

� PKCS10 Certificate Signing Request sent to CA� PKCS10 Certificate Signing Request sent to CA

� CA authenticate Subject & verify proof of

possession of associated Private Key

� CA issues X.509 certificate to Subject



� RP is a Web Server configured to require a

client certificate

� SSL “Server Hello” – “Client Certificate Request”$ openssl s_server -www -key myca_privkey.pem -cert $ openssl s_server -www -key myca_privkey.pem -cert myca.pem -state -msg -debug -Verify myca.pem



Copyright IBM Corporation 1999, 2011. All Rights Reserved. This topic's URL: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.csqzas.doc/sy10660_.htmsy10660_27.10.2011 Application Security Forum - Western Switzerland - 2011 22


� So the client is only sending his certificate

back to the server or is he?

� What else would be needed and why?

� Proof of possession of associated private key� Proof of possession of associated private key

� A certificate is public by definition …

� How to prove to a RP that we own such key?

� Someone said “Digital Signature”?

� What is really signed here? Why?



� What can be signed?

� Who’s providing the material to sign?

� The server only?

� The client only?� The client only?

� Both? � Why?

� What can go wrong if not both?

� What’s the outcome of all of this?

� Server obtain a proof that the Client owns the

private key associated with the cert shown


Laws of Identityii.a


Laws of Identityii.a

1. User Control and Consent

2. Minimal Disclosure for a Constrained Use

3. Justifiable Parties

4. Directed Identity4. Directed Identity

5. Pluralism of Operators and Technologies

6. Human Integration

7. Consistent Experience Across Contexts


Some issues with current

schemesschemes


Privacy Issues with current schemes

� IdP sees the certificates it issues

� RP can always track the entity authenticating

� RP can store all the certificates presented

� Different RPs can exchange & link those � Different RPs can exchange & link those

certificates

� ALL the attributes contained in the certificate

are disclosed to the RP

� CRLs are distributed to all RP


X.509 SSL Mutal Authn (1/2)

1. User Control and Consent ✗ / ?

� By Default: NO under most common OSes

� MS CAPI Private Key Security � Level

2. Minimal Disclosure for a Constrained Use ✗2. Minimal Disclosure for a Constrained Use ✗

� ALL attributes embedded in the cert are

disclosed


Issues with X.509 authn (2/2)

� Cert contains direct unique identifiers such as:� Subject Key Identifier ( 2.5.29.14 )

� IssuerDN + Serial Number

� Common Name*

� Cert contains indirect unique identifiers:� Cert contains indirect unique identifiers:� Public Key

� CA’s Signature

� Computed Thumbprint


Cryptographic Primitives


Cryptographic Primitives

� RSA

� Discrete Logarithm Problem (DLP)

� Zero-Knowledge Proof (ZKP)

� Prover � Subject� Prover � Subject

� Verifier � RP

� Blind Signature

� Selective Disclosure


RSA

� P & Q: Large random prime numbers

� n = P * Q � Modulus common to privkey & pubkey

� Compute φ(n) = (p – 1)(q – 1)

� Choose an integer e such that 1 < e < φ(n) and � Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1 � public key

� d = e–1 mod φ(n) � private key

� Encryption-Decryption / Signature-Validation� ENC/DEC: c = me (mod n), m = cd (mod n)

� SIG/VAL: s = hd (mod n), h = se (mod n) � h’=h?


Discrete Logarithm Problem

� g and h are elements of a finite cyclic group G then a solution x of the equation gx = h is called a discrete logarithm to the base g of h in the group G.

� Given g ≠1 and a random h := gx, it is not possible to find x from computational complexity standpoint.find x from computational complexity standpoint.


Zero Knowledge Proof

For Children… (from Jean-Jacques Quisquater’s paper*)


Repeat until confidence level is reached…

• http://en.wikipedia.org/wiki/Zero-knowledge_proof

Introducing digital credential

• Issuing protocol � Blind Signature

– Subject can (blind) “randomize” its public key

– IdP can still sign without “knowing” the public key

– The resulting IdP signature is also “blinded” from – The resulting IdP signature is also “blinded” from

the IdP perspective

• Showing protocol � Selective Disclosure

– Subject can blind, hence selectively disclose only

the attributes he wishes to do to the RP (Verifier)


Conclusion

� Pseudonymity != Anonymity

� Security XOR Privacy? � NOT Really

� Liberty VS Control � THE real question

� Most current authentication schemes were not built with � Most current authentication schemes were not built with

“privacy” in mind and currently don’t comply with the “7

Laws of Identity”

� Some cryptographic constructs exists to implement

privacy and empower the Subject

� Implementations of those constructs already exist


Questions ?horia

varla

nQuestions

Questions ?


© fl

ickr

.com

/hor

iava

rlan

Thank You! / Merci!

Simon Blanchet

[email protected]

http://ch.linkedin.com/in/sblanchethttp://ch.linkedin.com/in/sblanchet


SLIDES A TELECHARGER PROCHAINEMENT:

http://slideshare.net/ASF-WS

References (1/2)

i. Microsoft’s Vision for an Identity Metasystema. http://www.identityblog.com/stories/2005/10/06/IdentityMetasystem.pdf

ii. The Laws of Identity, Kim Cameron

a. http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf

iii. Rethinking Public Key Infrastructures and Digital Certificates, Stefan Brands

a. http://mitpress.mit.edu/catalog/item/default.asp?sid=DB63048D-0822-4233-8765-

55C534600287&ttype=2&tid=380155C534600287&ttype=2&tid=3801

b. http://www.credentica.com/the_mit_pressbook.html

iv. Work of David Chaum & Stefan Brands, School of Computer Science and

Statistics at Trinity College Dublin (Michael Peirce’s homepage)

a. http://ntrg.cs.tcd.ie/mepeirce/Project/chaum.html

b. http://ntrg.cs.tcd.ie/mepeirce/Project/Mlists/brands.html

v. The Id Element

a. http://channel9.msdn.com/Shows/Identity

b. http://channel9.msdn.com/shows/Identity/Deep-Dive-into-U-Prove-Cryptographic-protocols


References (2/2)

v. 7 Laws of Identity, Ann Cavoukiana. http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf

vi. The problem(s) with OpenID, The Identity Cornera. http://www.untrusted.ca/cache/openid.html

vii. An Overview of an SSL Handshake & How SSL provides authentication, confidentiality, and integrity

a. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/advanced/print.jsp?topic=/com.ibm.mq.csqzas.doc/sy10670_.htm&isSelectedTopicPrint=truecsqzas.doc/sy10670_.htm&isSelectedTopicPrint=true

b. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm

viii. Links Blog (Identity), Ben Lauriea. http://www.links.org/?cat=8

ix. U-Prove Crypto SDK V1.1 (Java Edition) - Apache 2.0 open-source license

a. http://archive.msdn.microsoft.com/uprovesdkjava

x. Random Thoughts on Digital Identity, Digital Identity Glossarya. http://blog.onghome.com/glossary.htm


Technology

ASFWS 2011: Harmonizing Identity and Privacy in Digital Identity and Authentication technologies