Identity State of the A rt
Pascal D e lp r at & O li v i e r D u p o n t
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1
Agenda Identity
– W h a t is it? D e fin itio n s – W h a t is n e x t?
D if f er ent N eeds – N e tw o rk s
– E n te r p r is e
– C o n s u m e r
– F e d e ra te d
D em o
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
2
Identity
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
3
I dent i t y
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
In the real world, identity is about a p erson.
T he g eneral way of identif ying oneself is by using one’s nam e.
T he p roof is a birth c ertif ic ate, a p assp ort, a national ID c ard, a sc hool p hoto ID
A n identity is best def ined as what m ak es you, p hysic ally.
4
Classic identity problem
The above cartoon by Peter Steiner has been reproduced from page 6 1 of J ul y 5 , 1 9 9 3 issue of The New Yorker, ( V ol . 6 9 ( L X I X ) no. 2 0 ) onl y for academic discussion, eval uation, research and compl ies w ith the copyright l aw of the U nited States as defined and stipul ated under Titl e 1 7 U . S. C ode. J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
5
E v er y ent i t y h as an i dent i t y C o m p u ter a nd N etw o r k ing er a h a s m u ltip lied th e nu m b er o f identities s o m e o ne h a s T yp es o f entities P e rs o n L e g a l a D e v ic e A p p lic a
s
n d s o c ia l e n titie s ( c o r p o r a tio n s , a s s o c ia tio n s , g r o u p s ) s ( C o m p u te r s , P D A s , c e ll p h o n e s , r o u te r s , s w itc h e s , e tc .) tio n s a n d P r o c e s s e s
O n netw o r k s , w h er e a ll c o m m u nic a tio n is m edia ted b y c o m p u ter s , th e dis tinc tio n b etw een entities is th eo r etic a l. T h er ef o r e, w e a r e c o nc er ned w ith D ig ita l Identity
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
6
W h y I dent i t y i s C ent er “D i g i t a l I d e n d is tr ib u te d , to d y n a m ic a s im u lta n e o u a u th o r itie s w a p p lic a tio n s w h a t o c c u rs
tity s e r lly s ly h o b e ”.
is th e o v ic e o r ie a d ju s t to fo llo w in c o n tro l in g u s e d
rg a n n te d th e g th a n d , a n
iz in g c o n s tr u c t fo r c o m p u tin g th a t a llo w n e e d o f e a c h u s e r w h e p o lic ie s o f th e v a r io /o r m a n a g e th e d a ta a d e n a b lin g v is ib ility in
s it ile u s n d to
P h il B e c k e r D ig ita l ID W o r ld 2 0 0 6
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
7
W h at i s di gi t al i dent i t y ?
W hat i ( dig ital ) identity?
Common Profile Info Cred ent ia ls
Unique I d ent if ier Cred ent ia ls A d d res s , et c . E mp loy er Profiles
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
App, Site, or Partner Profiles
App, Site, or Partner Profiles
Cons u mer Profiles
• Subjects/entities (users, devices, apps) • N am e, num ber, o th er identif ier, • U niq ue in so m e sco pe • P ersistent, l o ng -L ived • M ay be “pseudo ny m ” o r “true nam e” •M •D •C •A •M •O
ay h ave m ul tipl e credential s if f erent streng th s, dif f erent apps an ch ang e w /m o re f req uency
ttributes, entitl em ents, po l icies o re transient, f l uid inf o rm atio n f ten specif ic to apps o r sites 8
Promises for identity in a networked world N etw o r k A c c es s A llo w s Sing le Sig n O n ( SSO ) A p p ly p er u s er a c c es s c o ntr o l to r es o u r c es Is es s entia l f o r r eg u la to r y c o m p lia nc e H e a lth C a r e B a n k in g E tc .
P r o v ides b a s is f o r p er s o na liz ed s er v ic es –P r e s e n c e –L o c a t i o n
–R e p u t a t i o n
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
9
S i m p l e E x am p l e F i r s t - AT M A c ard holder inserts an A T M c ard, whic h has an identifier on it whic h uniq uely identif ies an ac c ount in the c o ntex t of the c ard holder’s bank .
T he p roof or c redentia l is p rov ided by the 4-dig it P IN . W ith suc c essf ul a u th entic a tio n, this a u th o riz es the c ard holder to ac c ess the resourc es of that ac c ount. A uthoriz ed p o l ic y m ig ht be to v iew the ac c ount balanc e or to withdraw c ash.
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
10
T h e p ar t s o f di gi t al i dent i t y Identif ier : u niq u e id f o r th e entity in a s p ec if ic c o ntex t C r edentia l: u s ed in a u th entic a tio n p r o c es s to b ind th e identif ier to th e entity Sec u r ity T o k en is th e c o m b ina tio n o f identif ier a nd c r edentia l A ttr ib u tes : def ine th e entity in a s p ec if ic c o ntex t A u th o r iz a tio n: p er m is s io n to p er f o r m
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
deter m ined b y p o lic y
11
I dent i f i er s W e D e a l W ith M a n y K in d s o f Id e n tifie r s –N –E –T –U –X –S –M –IP
J M B
am e ( true nam es or p seudonym s) m ail address he N etwork A c c ess Identif ier ( N A I) is U ser-N am e@ R L or U R I R I or i-nam es erial num ber A C address address
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
R ealm
12
C r edent i al s W e D ea l W ith M a ny K inds o f C r edentia ls –P –S –L –C –C –T –E
J M B
a s s w o rd s h a re d s e c re ts is t tr a its n o t k n o w n to o th e r s r y p to g r a p h ic k e y -P K I o r c h a in o f tr u s t e r tific a te -X . 5 0 9 ic k e t -K e r b e r o s x c e p tio n lis t b a s e d o n IP o r M A C a d d r e s s
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
13
P u t i t I nt o C o nt ex t s Network access
A t th e edg e o f a netw o r k - r em o te, w ir ed o r w ir eles s
E n terp ri se - i n tern al resou rce access D a ta c enter , w o r k g r o u p s er v er s
C on su m er - web serv i ces F ed erated i d en ti ty
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
14
N etw or k A c c es s
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
15
N et w o r k Ac c es s W ith in th e c o n t e x t o f n e t w o r k a c c e s s , d ig ita l id e n tit y is th e s e t o f a ttr ib u te s d e fin in g a n a u th e n tic a te d e n tit y d u r in g th e life o f a s e s s io n to a llo w p o lic y b a s e d n e t w o r k c o n tr o l. Network A c c es s D ev i c es 1
2
I d en t i f i er/ C red en t i a l
I d en t i f i er/ C red en t i a l
Ac c es s R ig h ts
T ra f f i c f l o w s 5
4
AAA Server ( AC S)
C o m p ly ? 3
E n f o rc em en t 6
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
16
I dent i t y -B as ed N et w o r k S er v i c e ( I B N S ) F ocu sed i n access l ay er L ev erag es 8 0 2 . 1 X ( L 2 ) ex p an d i n g to M A C W eb A u th en ti cati on A ccess b ased on
b y p ass an d
u ser & d ev i ce I D
M ai n l y en f orces wi th V L A Ns I B NS ( 8 0 2 . 1 X ) f orm s th e f ou n d ati on f or n ew serv i ces su ch as NA C
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
17
I ntellig ent E dg e ( iE dg e) f or S erv ice P rov iders W h ere i s th e en f orcem en t? A t th e E d g e!
T h e n etwork n eed s to b e secu re to th e ed g e. D own to th e E th ern et p l u g at th e wal l .
E n ab l es th e ab i l i ty to m ake con n ecti on s an d p ol i cy d eci si on s i n th e ed g e. E . g . D H C P scop e an d su b scri b er i n teracti on . B i n d s a su b j ect to a sessi on an d to n etwork serv i ces C on cep ts f or S P su b scri b ers m an ag em en t are al so b ased on i d en ti f i cati on , au th en ti cati on an d au th ori z ati on J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
18
L i m i t at i o ns o f i dent i t y i n net w o r k ac c es s • F or au th en ti cati on th e m ost com m on u sed secu ri ty token i s a u sern am e an d p assword
O n ce au th en ti cati on i s com p l ete, th e m ost of ten u sed i d en ti f i er i s an I P ad d ress, b ecau se A C L s an d V L A Ns are th e b asi c n etwork con trol an d seg m en tati on m ech an i sm s u sed tod ay I f n oth i n g el se i s d on e, th ere i s l oss of i d en ti ty i n f orm ati on ab ou t th e en ti ty wi th i n th e n etwork
E v en wh en th e b i n d i n g b etween th e au th en ti cated i d en ti f i er f rom th e secu ri ty token an d th e I P ad d ress rem ai n s, on e l oses th e ori g i n al au th en ti cati on ap p rov al wi th th e I P ad d ress. J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
19
A dv antag es of “identity with in th e network” A ssoci ate u ser’s i d en ti ty wi th th e sou rce I P ad d ress of h osts wi th a si n g l e u ser at a ti m e. S ou rce – i n ev ery p acket – ad d resses f or an y p rotocol , n ot j u st web serv i ces. Network l ay er i s l owest l ev el th at i s en d -to-en d . R eq u i res ad d ress ( an ti -sp oof ) i n teg ri ty ( p rov i d ed b y R P F or i n b ou n d A C L s
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
20
8 0 2 .1 X
► D H C
S wi tch cach es th e R A D I U S attri b u tes f rom th e accessaccep t of th e 8 0 2 . 1 X E A P • S U th D
wi tch i n cl u d es R A D I U S ser-Nam e an d C l ass i n e H C -d i scov er
AAA
D H C
• E n f orcem en t p oi n t g ets i d en ti ty f rom A T U L of sou rce ad d ress
• E n f orcem en t p oi n t g ets au th ori z ati on f or u ser f rom A A A J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
21
E nter p r is e N eeds
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
22
Levels of identity management P a s s w o rd re s e t
-users allowed to reset their own p asswords
P a s s w o r d s y n c h r o n iz a tio n
- sing le p assword ac ross system s, does req uire log g ing in at eac h system
S in g le s ig n o n
-user log s in onc e, and c an ac c ess m ultip le system s, the S S O authentic ation c redentials in the bac k g round
ag ent p resents
A c c e s s m a n a g e m e n t s o ftw a re
- c entrally c ontrol user ac c ess that g rants authoriz ation rig hts to eac h ap p lic ation or to sp ec if ic data.
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
23
E nt er p r i s e I dent i t y Identity u s a g e s eem s s im ila r to netw o r k a c c es s , b ec a u s e it h a s th e s a m e em p h a s is a nd ter m s . –A –A –A –A
d m in is tr a tio n u th e n tic a tio n u th o r iz a tio n u d it
W ith a c c es s m a na g em ent s o f tw a r e, identity is m o r e tig h tly integ r a ted a nd a c c es s to r es o u r c es a r e enf o r c ed ins ide th e p er im eter .
M o s t identity m a na g em ent s ys tem s a r e b a c k -ended b y dir ec to r y s er v ic es .
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
24
I dent i t y M anagem ent ( I dM ) I s ab ou t m an ag i n g actu al i d en ti ty d ata an d p rom u l g ati n g i t p rop erl y
I n f rastru ctu re to sy n ch ron i z e, d el eg ate, an d au tom ate m an ag em en t of i d en ti ty d ata an d req u estor/ ap p rov er f l ows A l l ab ou t m aki n g su re i d en ti ty d ata i s rel i ab l e, cu rren t, p rop erl y sy n ch ron i z ed , av ai l ab l e, an d easi er to ad m i n i ster
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
25
D i r ec t o r y S er v i c es T h ere i s g en eral l y a d i rectory serv i ce p rov i d i n g an ab stracti on l ay er b etween th e u sers an d th e sh ared resou rces A d i rectory serv i ce d ef i n es th e n am esp ace f or th e n etwork.
T h e d i rectory serv i ce i s a sh ared l ocati on i n f rastru ctu re f or l ocati n g , an d m an ag i n g com m on i tem s, wh i ch i n cl u d es v ol u m es, f ol d ers, f i l es, p ri n ters, u sers, g rou p s an d d ev i ces
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
26
C o m m o n di r ec t o r y s er v i c es W i n d ows NT D i rectory S erv i ce
A cti v e D i rectory f or W i n d ows 2 0 0 0 , S erv er 2 0 0 3 Nov el l D i rectory S erv i ces O p en L D A P
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
27
E nt er p r i s e R i gh t s M anagem ent ( E R M ) • E R M al l ows f or tracki n g of d ocu m en ts rath er th an oth er f orm s of m ed i a • E R M n ot on l y con trol s wh o h as access to th e d ocu m en ts, b u t wh at p ri v i l eg es ( read an d / or wri te) , at wh at ti m e ( b u si n ess h ou rs on l y ) an d f or h ow l on g ( 3 0 d ay s) C om p l ete accou n ti n g of th e acti v i ty f or reg u l atory com p l i an ce
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
28
C ons u m er N eeds
Web services
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
29
C o ns u m er Problems users wish to solve: H av i n g too m an y u sern am es an d p assword s
H a r d to r em em b er a ll o f th em o r u s er s r e-u s e th e s a m e u s er na m e a nd p a s s w o r d a t m u ltip le w eb s ites
F i l l i n g i n f orm s at th e d i f f eren t web si tes U sers wan t m ore con trol ov er th ei r i n f orm ati on P rotecti on f rom
i m p erson ati on an d i d en ti ty th ef t
E m p h asi s on u ser con trol of th ei r i n f orm ati on i s ref erred to as “u ser-cen tri c” i d en ti ty J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
30
Addi t i o nal b enef i t s o f i dent i t y I d en ti f i cati on of u ser at each web si te h el p s: R em em b er accou n t d etai l s F aci l i tate p u rch asi n g & b i l l i n g A d d con v en i en ce: wi sh l i sts an d sh op p i n g cart
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
31
T h e P r o b l em
User
U s er h a s a s ep a r a te r ela tio ns h ip w ith ea c h c o m p a ny ( w eb s ite)
E a c h c o m p a ny a c ts a s th eir o w n Identity P r o v ider
U s er p r o v ides ea c h c o m p a ny w ith du p lic a te inf o r m a tio n
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
32
W i ndo w s L i v e I D
s o lu tio n
I d serv i c es M ic ro s o ft
“P AS S P O R T ”
User
M ic rosof t’s W indows L iv e ID ( f orm erly P assp ort) is a c entraliz ed identity system with the g oals of
1.T o b e a n I d e n t i t y p r o v i d e r t o M S N a n d o th e r M ic r o s o f t w e b s it e s 2 .T o b e a n I d e n t i t y p r o v i d e r t o t h e I n t e r n e t
• U sers would hav e one Identity P rov ider
A lthoug h it has 2 5 0 m illion users, it did not m ak e sense to be between a c om p any and its c ustom ers - it f ailed p oint 2
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
33
D em o
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
34
R etr o u v ez c h a q u e m o is l’a c tu a lité C is c o s u r C is c o M a g , la new s letter de C is c o F r a nc e A b o nnem ent : w w w . c is c o . f r / g o / c is c o m a g
Sém ina ir e s o lu tio ns : L e r és ea u de C a m p u s J eu di 2 4 m a i 2 0 0 7 en m a tinée à l’Ins titu t O c éa no g r a p h iq u e - P a r is
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
35
J M B
©2 0 0 7 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
36