Towards privacy-preserving identity and access management systems for web developers

Abstract: This tutorial deals with the latest web-based identity and access management technologies supporting SAML 2.0, OpenID Connect and OAuth 2.0, XACML 3.0 and FIDO standards. We will briefly present the underlying technologies, the identity provisioning requirements and will focus on authentication and authorization issues. We will demonstrate how to create a mobile app or web application that requires guaranteeing the right access to the right individual at the right time for the right reason. We will then discuss their limitations in terms of privacy. The second part of the tutorial will be devoted to an innovative privacy preserving system for web application developers. The system we built is based on FIDO and W3C verifiable credentials. We will describe our pilot implementations and show two different use cases: UK NHS patients and Bank clients. This tutorial will be the occasion to present also the WebAuthn specification defined recently by the W3C.

Tutorial Description

On the web, trust and identity are essential elements for any web transaction. While the identity is about how to identify users on the web, trust is about relations that link users to service providers or that link service providers (SP) between each other. In a traditional identity management system, SPs provide web users with credentials that allow authenticating themselves before accessing the provider’s services. However, such an approach is not scalable from the user’s point of view. In fact, users should memorize the credentials provided by each web site in order to present them during the authentication phase. Ideally, the credentials should be unique for each web site, but in practice users tend to use the same credential on different web sites. Consequently, the traditional approach creates a security problem for web users. To resolve this kind of problems, another identity management approach is defined. This approach is based on trust established between SPs. The term federation is used to refer to this approach. The established trust between SPs allows web users to authenticate themselves to a single service provider in order to access the whole list of resources provided by all SPs in the federation.

An extension to the federated approach is usually made by separating the identity management from the access management (authorization). In this case, the role of identity provider (IdP) is defined and separated from the SP role. A trust relationship must be established between an IdP and SPs. The IdP can be part of the SPs federation or not. For example on the web Google and Facebook, allow web users to log into third-party websites using their accounts. Third-party websites must trust Google or Facebook in order to let web users access to their resources. Different technologies are used today to achieve different schemes in cross-domain identity federation at Internet scale, such as SAML 2.0, OpenID Connect, OAuth 2.0 and more recently FIDO.

However, the federation approach suffers from a number of weaknesses, in particular with regards to its trust model, and the privacy of its users. First, the trust model requires the IdP to trust the SP to preserve the privacy of the user’s identity attributes (or credentials) that it is asserting, and the SP to trust that the IdP is the authoritative source of (all of) the user’s identity attributes. Both of these trust requirements are unreasonable. No single IdP is the authoritative source of all user identity attributes, and users may want to present their identity attributes to SPs that IdPs do not fully trust. Consequently, IdPs are not willing or able to release the user attributes that SPs require in order to provide the fine grained authorization they desire.

“Insufficient attribute release by IdPs is considered by user communities as the major problem today in the eduGAIN space” [1]. This necessitates the pulling of user identity attributes from other Attribute Authorities (AAs). In order to solve this attribute aggregation problem, the assignment of a persistent globally unique identifier to each user is proposed by many [2], [3]. But this has privacy implications for the user, as it provides a correlating handle that can be used to track her everywhere. Worse still, IdPs do not provide their users with any service to most SPs, since they are not part of the IdP federation, and so are considered to be not trusted. Finally, the IdPs are the centre of the identity eco-system, and issue short-lived identity assertions [4] or tokens [5] on demand to trusted SPs. Consequently, they know which SPs the user is visiting and when, which allows them to track her.

The W3C Verifiable Credentials (VC) Working Group has devised a model for federation identity management (FIM) [7] that overcomes the above weaknesses in the following ways. The architecture places the user at the centre of the FIM eco-system rather than the IdP, and the trust model only requires the SP to trust the IdP. Indeed, the IdP is not aware of which SP the user is presenting her identity credentials to. Privacy is better protected, as the IdP cannot track the user, and the user is responsible for creating her own identifiers – she can have as many as she chooses – thus limiting the ability of SPs or IdPs to correlate the user through a single globally unique identifier. Currently the W3C is only standardizing the data model for VCs and no protocol is being proposed. We consider a new VC eco-system based on enhanced FIDO protocols.

The FIDO Alliance specifies two authentication frameworks: the Universal Authentication Framework (UAF) for password-less authentication from smart devices [8], and the Universal Second Factor protocol (U2F) for two factor authentication using a small hardware token to accompany a non-FIDO smart device having a FIDO compliant web browser. Both operate on the same underlying principle of using asymmetric encryption for authentication. UAF is currently being revised by the W3C, as the Web AuthN specification [6]. Whilst FIDO provides strong authentication, it does not provide authorization, so we have extended the FIDO UAF architecture and protocols to provide this, using the W3C VC model.

Our FIM system closely resembles the use of plastic cards and passports etc. in the physical world today. In this trust model, only the SP has to trust that the IdP is the authoritative source of the identity attributes in the credential. A credential holder can show her credentials to any desired SP, without the permission of the IdP. Furthermore, the IdP may not be aware that an SP has seen a credential and used it for authorization. The user can combine or aggregate credentials from multiple issuers as required by an SP. The user has much more control over her credentials than over the electronic identity assertions that are issued by today’s federation IdPs.

To demonstrate the usability of our solution, we have conducted a user trial for the patients of a hospital in UK. Patients used their fingerprints instead of usernames/passwords to authenticate to the smartphone, and asymmetric keys are used to authenticate the smartphone to the NHS web sites. The trial found a few sub-optimal design features that we have subsequently corrected. However, the patients unanimously liked the app, found it easy to use, and were more than satisfied with its security and privacy preserving properties.

Tutorial Organization

This tutorial deals with the latest web-based identity and access management technologies supporting SAML 2.0, Open ID Connect and OAuth 2.0, XACML 3.0 and FIDO standards. We will briefly present the underlying technologies, the identity provisioning requirements and will focus on authentication and authorization issues. We will demonstrate how to create a mobile app or web application that requires guaranteeing the right access to the right individual at the right time for the right reason. The second part of the tutorial will be devoted to an innovative privacy preserving system for web application developers. The system we built is based on FIDO and W3C verifiable credentials. We implemented a protocol that extends FIDO’s Universal Authentication Framework (UAF) in order to provide both strong authentication and strong authorization that respect the privacy of web users. We will describe our pilot implementations and show two different use cases: UK NHS patients and Bank clients. This tutorial will be the occasion to present also the WebAuthn specifications defined recently by the W3C. These specifications provide a reliable alternative to passwordbased authentication by using public key cryptography. Many of high-profile websites and web browsers have already integrated these specifications.

The organization of the tutorial is as follows:

1. We will explore the exact meaning of essential parts of any identity management systems, which are trust and identity. We show how it is important to differentiate identity concept from authentication and authorization concepts. We will also present the definitions of some other related concepts such as identity provider, service provider, single sign-on (SSO), federated identity management systems and others. (30 mins)
2. We will recall the web underlying technologies before considering the different latest identity management technologies such as OAuth 2.0 [11], OpenID Connect [10], SAML 2.0 [9] and XACML 3.0 [12]. We will demonstrate how to create a mobile app or web application with the support of such standards. We will end-up with an evaluation of the security features and especially the privacy characteristics that they offer to web users. (30 mins)
3. We advocate for a new identity management system based on FIDO and W3C Verifiable Credentials standards that preserves the privacy of web users. The foundations of FIDO and W3C VC will be treated. We will show how we implemented a protocol that extends FIDO’s Universal Authentication Framework (UAF) in order to provide both strong authentication and strong authorization that respect the privacy of web users. (35 mins)
4. We will demonstrate 2 case studies in healthcare and financial domains. (15 mins)
5. We will conclude our tutorial by presenting WebAuthn specification and show how our identity management solution is going to integrate it. (10 mins)

Presenters

1. Abdelmalek Benzekri ([email protected])
2. Romain Laborde ([email protected])
3. David Chadwick ([email protected])
4. Ahmad Samer Wazan ([email protected])

Abdelmalek Benzekri is full professor at University of Toulouse – IUT ‘A’, Toulouse, France since 1999, where he is Director of the Master’s degree in CyberSecurity. He is the leader of Service IntEgration and netwoRk Administration (SIERA) Research Group. His research activities, conducted at IRIT, focus on systems and networks management and specifically on information security management.

Romain Laborde is associate professor at University of Toulouse (Paul Sabatier-IUT ’A’), France since 2006. He is also member of the Institut de Recherche en Informatique de Toulouse. He received his PhD in Computer Science from University Paul Sabatier in 2005. Then, he was a Research Associate in the Information Systems Security Group in the Computer Science Department, University of Kent at Canterbury, UK. His research focuses on security management applied to network security configuration, identity and access management or privacy.

David Chadwick, BSc, PhD is Professor of Information Systems Security at the University of Kent,. He has published widely, with over 180 publications in international journals, conferences and workshops. He is the BSI lead representative to ISO/ITU-T X.500 standards meetings, and was intimately involved in the design and standardisation of X.509 Public Key Infrastructures and Privilege Management Infrastructures (PMIs). He is currently an invited expert to the W3C Verifiable Credentials Working Group. As part of the EC PERMIS project he led the first group in the world to implement a policy driven X.509 PMI. The resulting PERMIS software is available as open source from www.openpermis.info.

Ahmad Samer Wazan, PhD is assistant professor at University of Toulouse. His research topics include trust management, PKIs, Access Control and recently security requirement engineering issues. His research group has proposed to extend the X.509 trust model by adding a new entity called, the Trust Broker. The proposition is included in the 2016 edition of X.509 standard.

References

[1] EU AARC Project Deliverable DNA2.4 “Training Material Targeted at Identity Providers” 27 July 2016. Available from https://aarc-project.eu/wpcontent/ uploads/2016/07/AARC-DNA2.4.pdf
[2] EC AARC Project ‘AARC Blueprint Architecture’. 18 April 2017. Available from https://aarc-project.eu/wp-content/uploads/2017/04/AARC-BPA-2017.pdf.
[3] Scott Cantor. “NativeSPAttributeResolver ” 7 Apr 2014 [Online]. Available: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver.
[4] OASIS. “Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0”, OASIS Standard, 15 March 2005
[5] N. Sakimura et al. “Final: OpenID Connect Core 1.0 incorporating errata set 1.” 8 Nov 2014 [Online]. Available: http://openid.net/specs/openid-connect-core-1_0.html
[6] W3C. “Web Authentication: An API for accessing Public Key Credentials Level 1”. Available at https://www.w3.org/TR/webauthn/
[7] W3C "Verifiable Claims Data Model and Representations". [Online]. https://www.w3.org/TR/verifiable-claims-data-model/
[8] FIDO Alliance. “FIDO UAF Architectural Overview.” FIDO Alliance Proposed Standard. 8 December 2014 [Online]. Available: https://fidoalliance.org/specs/fido-uaf-v1.0-ps- 20141208/fido-uaf-overview-v1.0-ps-20141208.html.
[9] http://saml.xml.org/saml-specifications
[10] http://openid.net/connect/
[11] https://oauth.net/2/
[12] http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
[13] https://fidoalliance.org