Comprehensive Guide to Using FIDO for Enhanced Identity Management

Explore how to leverage FIDO as an alternative to traditional protocols like SAML and OpenID Connect for privacy-enhanced identification and user-centric identity. Learn about the general approach, X.509 credentials, issuance procedures, and more from the revised presentation by Francisco Corella.

• FIDO
• Identity Management
• Privacy
• User-centric
• Security

maximilian Follow

Uploaded on Aug 03, 2024 | 2 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. How to use FIDO for everything How to use FIDO for everything As an alternative to SAML As an alternative to SAML As an alternative to OpenID Connect As an alternative to OpenID Connect To implement US Gov Derived Credentials To implement US Gov Derived Credentials For privacy enhanced identification For privacy enhanced identification For user For user- -centric identity centric identity Revised after presentation on November 29, 2022 Revised after presentation on November 29, 2022 Francisco Corella fcorella@pomcor.com

2. Outline General approach X.509 credentials (private key + X.509 certificate) US Derived Credentials Privacy-enhanced credentials Alternative federated authentication SAML OpenID Connect User-centric identity

3. General approach We first proposed using a Service Worker in a presentation at ICMC 2017 In that presentation we were concerned with ANY kind of cryptographic credential Not only key pairs, X.509 certificates, or public key certificates Including credentials based on Zero Knowledge technology, such as Idemix anonymous credentials of U-Prove tokens Slides 4-?? below are a special case of slides 10-18 in the ICMC presentation

4. Issuance of an X.509 credential Credential issuer Internet Browser Web page Credential Issuance JavaScript page localStorage FIDO Authenticator

5. Issuance of an X.509 credential Credential issuer Internet Browser Web page JavaScript Certificate storage Key pair generation localStorage X.509 certificate FIDO Authenticator Private key

6. Presentation of an X.509 credential Credential issuer Internet Browser Service worker Web page JS front-end registers SW with browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

7. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Identification request Service worker Web page JS front-end registers SW with browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

8. Presentation of an X.509 credential Credential issuer Relying party Intercepted request not seen by issuer Internet Browser Service worker Web page JS redirection Redirected request intercepted by browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

9. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Service worker Web page Consent request page generated by SW JavaScript localStorage X.509 certificate FIDO Authenticator Private key

10. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Service worker Web page JavaScript localStorage Proof of possession X.509 certificate FIDO Authenticator Private key

11. Privacy-enhanced credentials A X.509 certificate binds the public key to the collection of user attributes A privacy-enhanced credential issues instead a selective disclosure certificate that binds the public key to an omission-tolerant checksum (OTC) of the attributes The OTC could be, e.g., the root-level of a typed hash tree This makes it possible to omit attributes when the credential is presented

12. An alternative to Federated Authentication (e.g. SAML, OpenID Connect) In Federated Authentication, the Identity Provider (IdP) provides only the attributes requested by the Relying Party (RP), with user consent Alternative: IdP => Issuer of privacy enhanced credentials Credential request by RP is intercepted by service worker Service worker generates a consent page that provides the attributes that presents the credential to the RP, omitting attributes not requested by the IdP Explicit request for consent is optional; if omitted the service worker generated a JS-only page not seen by the user

13. User-centric identity Identifier is email address provided by an Email Service Provider (ESP) Multiple personas => multiple email addresses User freely chooses ESP ESP issues privacy-enhanced credential Private key kept in platform authenticator of user s laptop or in security key Selective disclosure certificate binds public key to self-asserted attributes ESP provides UI that allows user to supply attributes and change them at any time Credential is reissued automatically when attributes change RP sends identification request to ESP, but request is intercepted by service worker in user s browser Unobservability: ESP learns nothing about the identification transaction Availability: ESP does not have to be online RP finds ESP s public key for credential verification and interceptable URL in DNS zone of ESP Authoritative attribute providers issue attribute certificates (no private key) that bind the email address to additional attributes and are obtained separately by the RP