This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
1. OpenID & Strong
Authentication
CTST 2009: Emerging Technology
D14: Smart Cards,Tokens & Digital Identity
May 5, 2009
Brian Kelly
Vice President
TrustBearer Labs
3. SAML
• Consumer focused
• Enterprise focused
• On-the-fly-
• Bulk-provisioning (on-
provisioning
the-fly supported)
• Many identity
• Identity Provider is
providers available
internal to
online for consumers
organization
to choose
(typically)
• Mostly open-source,
• Commercial and OS
and COTS services
products available
3
4. How does SAML work?
verifies signed
assertions
User is logged-in to
creates signed
App 1 web app
Login Web Page
assertions
user
SAML ID App 2
user
Provider
user authenticates users App 3
Other SAML Service Providers
LDAP (consumers)
Auth.
4
5. How does OpenID work?
Consumer Web App
Web app User is logged-in
Page Login
verifies previously to web app
user enrolled OpenID
Consumer
user Web App
OpenID
user Relying Party
(consumer)
User authenticates to IDP and
enables account to be used
with consumer site
5
6. End-point authentication is
agnostic of SSO standard
All methods can be supported by SAML or OpenID
• username / password
• one time password (OTP) tokens
• smart cards (e.g. PIV, CAC, FRAC)
• TPM
• client digital certificates
• information cards
• biometrics
• image verification
6
7. Identity Provider offers end-
point authentication options
• Google,Yahoo, AOL: password
• myOpenID: password, phone verify, client certificate, info card
• VeriSign PIP: OTP, client certificate, info card, EV SSL
• TrustBearer: smart cards (CAC, PIV, etc.), biometrics
• Vidoop: Image recognition (CAPTCHA)
The IdP can specify authentication methods used
to the RP, which can even request preferences.
7
10. Token Types Allowed At Each
Assurance Level
Level 1 Level 2 Level 3 Level 4
Token Type
Hard Crypto Token ✓ ✓ ✓ ✓
✓ ✓ ✓
One-time password device
Soft crypto token ✓ ✓ ✓
Passwords & PINs ✓ ✓
From NIST SP 800-63 p. 39
10
11. OpenID Provider Authentication
Policy Extension (PAPE)
• Provides a way for Relying Parties to
request / view authentication policies of
Identity Provider
• Policies: Phishing-resistant, Multi-Factor, and
Physical Multi-Factor
• Preferred authentication levels
e.g. NIST: 1, 2, 3, 4
SAML also allows authentication attributes
to be added to a message
11
12. TrustBearer OpenID
What we do What we could do
• Challenge/response with • Path validation &
PIN or Bio verification revocation checking
• Allow multiple tokens • Use SReg to transmit
per account data on card
• Implement PAPE • Allow RPs to request
certain smart cards or
• No username / password
tokens be used
option
• More SAML Support
• Some SAML support
12
13. How Government OpenID with
smart card auth could work
Citizen Web App
OpenID + Sreg + PAPE Citizen is logged-in
Page Login
Data sent to Gov’t Web app, to web app
user Info is verified
U.S. Gov’t Gov’t Web
user App
OpenID
user Relying Party
Web app (RP) includes
(consumer)
U.S. Gov’t OpenID
Provider on it’s trusted list
Path Validation &
User is directed to government
Certificate Revocation
OpenID provider, which uses CAC / PIV
Checking
Smart card to authenticate user
13
14. “In-the-cloud” strong-auth benefits
over traditional Client Auth with SSL
• Less infrastructure / less coding
• Path validation & revocation checking work
is offloaded to Identity Provider
• Authentication methods can scale up and
down depending on application needs
• Non-cert data on smart card becomes
useful (e.g. healthcare)
14