Trust Elevation through Contextual Authentication International Telecommunication Union

International Telecommunication Union
Trust Elevation through
Contextual Authentication
Regional Arab Forum on Cybersecurity
Giza (Smart Village)-Egypt, 18-20 December 2011
Abbie Barbir, PhD
ITU-T SG 17 Identity Management Rapporteur
Abbie.Barbir@ties.itu.int
Co-chair OASIS Trust Elevation TC
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el
Elected Member of OASIS Board of Directors
http://www.oasis-open.org/board
ITU-T
Study groups (2009-2012)
SG 2
Service
provisioning
and Telecom
management
SG 9
Television, sound
and integrated
broadband cable
networks
SG 13
Future networks
including mobile
and NGN
SG 3
Tariff ,
accounting
telecom
economic &
policy issues
SG 5
Environment
and climate
change
SG 16
Multimedia
coding, systems
and
applications
ITU-T Objectives
Established 17 May 1865
SG 11
Signalling
requirements,
protocols and test
specifications
Decisions by consensus
Participation through national
Government
Telecom does not mean that focus
is only on Telecom
SG 17
security, identity
management
(IdM) and
languages
Develop and publish standards for
global ICT interoperability
Identify areas for future
standardization
Provide an effective forum for the
development of international
standards
Truly global public/private
partnership
95% of work is done by private
sector
Continuously adapting to market
needs
2
SG 17 Q10/17 Identity management
o
Interoperability of identity management
•
•
•
•
•
•
o
Trust of identity management
•
•
•
•
•
•
o
X.discovery, Discovery of identity management information
Protection of personally identifiable information
•
o
X.EVcert, Extended validation certificate
X.eaa, Information technology – Security techniques – Entity authentication assurance
X.atag, Attribute aggregation framework
X.idmcc, Requirement of IdM in cloud computing
X.mob-id, Baseline capabilities and mechanisms of identity management for mobile applications
and environment
X.oitf, Open identity trust framework
Discovery of of identity management information
•
o
X.giim, Generic IdM interoperability mechanisms
X.1250, Baseline capabilities for enhanced global identity management trust and interoperability
X. 1250 Baseline capabilities for enhanced global identity management trust and interoperability
X. 1251 A framework for user control of digital identity
X. 1252 Baseline identity management terms and definitions
X.1253 (X.idmsg), Security guidelines for identity management systems
X.1275, Guidelines on protection of personally identifiable information in the application of RFID
technology
• X.priva, Criteria for assessing the level of protection for personally identifiable information in
identity management
Working with OASIS SAML 2.0 and XACML and their equivalent ITU-T recommendations
Q10/17 Coordination and collaboration
ITU-T Joint coordination activity in IdM JCA-IdM
4
OASIS Trust Elevation TC
o
OASIS Electronic Identity Credential Trust Elevation Methods (Trust
Elevation) TC
•
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el
Works to define a set of standardized protocols that service providers may
use to elevate the trust in an electronic identity credential presented to them
for authentication
o Respond to suggestions from the public sector, including the U.S. National
Strategy for Trusted Identities in Cyberspace (NSTIC).
o Promotes interoperability among multiple identity providers--and among
multiple identity federations and frameworks--by facilitating clear
communication about common and comparable operations to present,
evaluate and apply identity [data/assertions] to sets of declared authorization
levels
o
National Strategy for Trusted Identities
in Cyberspace (NSTIC)
o
Called for in President’s Cyberspace Policy Review (May2009)
o
Promotes the development of an online environment where individuals and organizations will be able to trust
each other because they follow agreed upon standards to obtain and authenticate their digital identities
Guiding Principles
•
Privacy Enhancing and Voluntary
•
Secure and Resilient
•
Interoperable
•
Cost Effective
•
Easy To Use
Usernames and passwords are broken
• People have many different passwords
• Password reused
• Strong passwords vulnerable
Identity Theft on the rise
• Large increase in financial institution Suspicious Activities
• $17.3 billion estimated cost to economy over 2 years
(BJS,2008)
Cybercrime is on the rise
•
Phishing is increasing with more sophisticated attacks
Main issue
• How to verify the Carbon entity on the other end of an online transactions
• Identities are difficult to verify over the internet
• Problem is more complicated in North America due to the lack of a government based national
identity system
6
Entity Authentication Assurance
Entity Authentication Assurance Framework*
• Joint work of ISO JTC1/SC 27/WG5 and ITU-T SG 17/Q.10
• Expected to reach Committee Draft status this year
o Standardizes Levels of Assurance (LoAs) to promote trust, improve
interoperability, and facilitate identity federation across organizations
o
•
Level
Description
1
Little confidence the
asserted identity
2
Some confidence in
the asserted identity
3
High confidence in
asserted identity
4
Very High confidence
in asserted identity
ISO/IEC 29115 | ITU-T X.1254 provides a framework for
managing entity authentication assurance in a given context.
In particular, it:
•
specifies four levels of entity authentication assurance;
•
specifies criteria and guidelines for each of the four
levels of entity authentication assurance;
•
provides guidance concerning controls that should be
used to mitigate authentication threats;
•
provides guidance for mapping the four levels of
assurance to other authentication assurance schemes;
•
provides guidance for exchanging the results of
authentication that are based on the four levels of
assurance.
Entity Authentication Assurance
Why so the work?
o Provides a consistent basis for trust
o Promotes identity federation
o Helps organizations make informed decisions
o Enables credential re-use in different contexts
o Promotes efficiency and reduces costs
o Enables cross-organization and cross-border services
o Provides framework for further standardization
Entity Authentication Assurance
Structure and Contents
o Four Levels of Assurance
o Entity Authentication Assurance Framework
o Management and Organizational Considerations
o Threats Based on Framework Components
o Required Controls for Each LoA
o Privacy and Protection of PII
o Operational Service Assurance Criteria
9
EAA Framework
Proofing
Application
/ Initiation
LoA
Selection
Verification
Enrollment
Risk
Assessment
Rights,
Access Controls,
etc.
Authorization
Registration
Usage
RecordKeeping
Authentication
Credential
Management
Binding
Revocation
Issuance
scope boundary of this standard
10
Authentication
Towards Digital Trust
o FFIEC Supplement to Authentication in an Internet Banking
Environment
• Layered Security to eliminate Customer Authentication for
High-Risk Transactions
o Retail/Consumer and Business/Commercial Banking
o Detect and Respond to Suspicious Activity
o Device Identification
o Challenge Questions (KBA)
o False Sense of Security
o Need to move away from it
More on Authentication
How to define Authentication Strength ?
o Simply counting authentication factors
• Something
• you know
• you have
• you are (or inherit )
• does not inform us about the strength of a given authentication method
o Authentication methods can be based on a single authentication attribute or on
any two or more attributes of different kinds
o Many vendors and enterprises do not implement true two-factor authentication
and do not have a consistent definition of the term.
o Consider measuring a method strength to attacks, for example:
• Masquerade attacks and man-in-the browser attack
o Evaluate the strength of an authentication method to confirm that it meets the
needs for assurance or authorizations request.
Based on Gardner paper G00219391
Device Identifications
From Smart Device perspectives
• Cookies are increasingly becoming obsolete for device and user identification
• IP address is not reliable
Different Approaches are used
• Identification in Browser based technologies (SAML, OpenID) is different from
Native Application (Aouth2.0 and OpenID connect)
Standards are needed
• Need to move towards interoperable cookie-less device independent identification
methods in order to prevent fraud in financial transactions
• Support for cloud based interactions
• Support for interoperable token based services
• “one-time” cookies
o Eventually every device needs an immutable, provision-able, isolated NVM to
store its identity
• Programmable RD/WR/OTP/ERASE capable
• Scalable cross devices (power, form factor, standard)
• Ultimately needs to have appropriate crypto support
13
Current Basic “Trust Triangle”
o
o
User has direct trust relationship with IDSP and RP
How can the IDSP and RP trust each other?
* Source OIX
Should we have Trust in Trust
Frameworks
•
•
•
•
Key question how much do we trust the identity enrolment stage
• Do we Trust Breeder Documents and verification process?
The Elephant in the room; The rise of Synthetic ID
So what are Synthetic ID?
• Synthetic identity happens when a criminal steals bits and pieces of info from
different people and creates a new identity with No Carbon Copy.
• A social security number is used with a different name and date of birth.
• Difficult to detect because of all the mismatched pieces of information.
• Criminals are getting bold
• Trend to claim ID Theft as opposed to account busting
• Need better means of validating breeder documents
Not all breeder documents are Trustable
Directions
Some Pain Points
o Internet transactions are anonymous (low trust)
o Value transactions are identity based
o Anonymous to identity enabled
o Need strong authentication and contextual identification of identities
o Enable Identity based systems
• while protecting privacy (PII)
• Isolation of Issuer and target Identity
• Enable the right to forget
• Identity dashboard for user to keep control identity and related data (Data
Ownership)
• Consumer Protection and Identity Service Provider Liabilities
o Audit, compliance and policy enforcement
o And yes…..Simple to use system
Current Trends
OIDF WG on Street Identity (see www.streetidentity.com )
1.
OAuth2 and OpenID Connect
•
Focus on Eliminating password reuse (one password)
2.
Identity verification
•
Use of Relationship Manager or Attribute provider to share legal
identity (name/address) with a requesting party
3.
Toward Strong authentication
•
Secure the "one password" with additional protection
•
Potentially the use of Secure Vault technology in devices an immutable,
provision-able, isolated NVM to store its identity
o Programmable RD/WR/OTP/ERASE capable
o Scalable cross devices (power, form factor, standard)
o Ultimately needs to have appropriate crypto support
o
17
Q&A