Comprehensive Guide to Using FIDO for Enhanced Identity Management

 
R
e
v
i
s
e
d
 
a
f
t
e
r
 
p
r
e
s
e
n
t
a
t
i
o
n
 
o
n
 
N
o
v
e
m
b
e
r
 
2
9
,
 
2
0
2
2
 
Francisco Corella
fcorella@pomcor.com
 
A
s
 
a
n
 
a
l
t
e
r
n
a
t
i
v
e
 
t
o
 
S
A
M
L
A
s
 
a
n
 
a
l
t
e
r
n
a
t
i
v
e
 
t
o
 
O
p
e
n
I
D
 
C
o
n
n
e
c
t
T
o
 
i
m
p
l
e
m
e
n
t
 
U
S
 
G
o
v
 
D
e
r
i
v
e
d
 
C
r
e
d
e
n
t
i
a
l
s
F
o
r
 
p
r
i
v
a
c
y
 
e
n
h
a
n
c
e
d
 
i
d
e
n
t
i
f
i
c
a
t
i
o
n
F
o
r
 
u
s
e
r
-
c
e
n
t
r
i
c
 
i
d
e
n
t
i
t
y
 
H
o
w
 
t
o
 
u
s
e
 
F
I
D
O
 
f
o
r
 
e
v
e
r
y
t
h
i
n
g
 
Outline
 
General approach
X.509 credentials (private key + X.509 certificate)
US Derived Credentials
Privacy-enhanced credentials
Alternative federated authentication
SAML
OpenID Connect
User-centric identity
 
General approach
 
We first proposed using a Service Worker in a 
presentation at ICMC
2017
In that presentation we were concerned with ANY kind of
cryptographic credential
Not only key pairs, X.509 certificates, or public key certificates
Including credentials based on Zero Knowledge technology, such as Idemix
anonymous credentials of U-Prove tokens
Slides 4-?? below are a special case of slides 10-18 in the ICMC
presentation
 
Issuance of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Credential
issuer
 
JavaScript
 
Credential
Issuance
page
 
Issuance of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
 
JavaScript
 
Key pair
generation
 
Certificate storage
 
X.509 certificate
 
Credential
issuer
 
Presentation of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
 
JavaScript
JS front-end registers
SW with browser
 
X.509 certificate
 
Credential
issuer
 
Service
worker
 
Presentation of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
JavaScript
JS front-end registers
SW with browser
 
X.509 certificate
 
Credential
issuer
 
Service
worker
Relying
party
 
Identification request
 
Presentation of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
JavaScript
 
X.509 certificate
 
Credential
issuer
 
Service
worker
Relying
party
 
JS redirection
Redirected request
intercepted by browser
Intercepted
request not
seen by issuer
 
Presentation of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
 
JavaScript
Consent request page
generated by SW
 
X.509 certificate
 
Credential
issuer
 
Service
worker
Relying
party
 
Presentation of an X.509 credential
 
Internet
 
Browser
 
localStorage
 
FIDO Authenticator
 
Web page
 
Private key
 
JavaScript
Proof of possession
 
X.509 certificate
 
Credential
issuer
 
Service
worker
Relying
party
 
Privacy-enhanced credentials
 
A X.509 certificate binds the public key to the collection of user
attributes
A privacy-enhanced credential issues instead a 
selective disclosure
certificate 
that binds the public key to an omission-tolerant checksum
(OTC) of the attributes
The OTC could be, e.g., the root-level of a typed hash tree
This makes it possible to omit attributes when the credential is
presented
 
An alternative to Federated Authentication
(e.g. SAML, OpenID Connect)
 
In Federated Authentication, the Identity Provider (IdP) provides only
the attributes requested by the Relying Party (RP), with user consent
Alternative: IdP => Issuer of privacy enhanced credentials
Credential request by RP is intercepted by service worker
Service worker generates a consent page that provides the attributes that
presents the credential to the RP, omitting attributes not requested by the IdP
Explicit request for consent is optional; if omitted the service worker
generated a JS-only page not seen by the user
 
User-centric identity
 
Identifier is email address provided by an Email Service Provider (ESP)
Multiple personas => multiple email addresses
User freely chooses ESP
ESP issues privacy-enhanced credential
Private key kept in platform authenticator of user’s laptop or in security key
Selective disclosure certificate binds public key to self-asserted attributes
ESP provides UI that allows user to supply attributes and change them at any time
Credential is reissued automatically when attributes change
RP sends identification request to ESP, but request is intercepted by service worker in user’s
browser
 Unobservability
: ESP learns nothing about the identification transaction
 Availability
: ESP does not have to be online
RP finds ESP’s public key for credential verification and interceptable URL in DNS zone of ESP
Authoritative attribute providers issue 
attribute certificates 
(no private key) that bind the email
address to additional attributes and are obtained separately by the RP
Slide Note
Embed
Share

Explore how to leverage FIDO as an alternative to traditional protocols like SAML and OpenID Connect for privacy-enhanced identification and user-centric identity. Learn about the general approach, X.509 credentials, issuance procedures, and more from the revised presentation by Francisco Corella.

  • FIDO
  • Identity Management
  • Privacy
  • User-centric
  • Security

Uploaded on Aug 03, 2024 | 2 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. How to use FIDO for everything How to use FIDO for everything As an alternative to SAML As an alternative to SAML As an alternative to OpenID Connect As an alternative to OpenID Connect To implement US Gov Derived Credentials To implement US Gov Derived Credentials For privacy enhanced identification For privacy enhanced identification For user For user- -centric identity centric identity Revised after presentation on November 29, 2022 Revised after presentation on November 29, 2022 Francisco Corella fcorella@pomcor.com

  2. Outline General approach X.509 credentials (private key + X.509 certificate) US Derived Credentials Privacy-enhanced credentials Alternative federated authentication SAML OpenID Connect User-centric identity

  3. General approach We first proposed using a Service Worker in a presentation at ICMC 2017 In that presentation we were concerned with ANY kind of cryptographic credential Not only key pairs, X.509 certificates, or public key certificates Including credentials based on Zero Knowledge technology, such as Idemix anonymous credentials of U-Prove tokens Slides 4-?? below are a special case of slides 10-18 in the ICMC presentation

  4. Issuance of an X.509 credential Credential issuer Internet Browser Web page Credential Issuance JavaScript page localStorage FIDO Authenticator

  5. Issuance of an X.509 credential Credential issuer Internet Browser Web page JavaScript Certificate storage Key pair generation localStorage X.509 certificate FIDO Authenticator Private key

  6. Presentation of an X.509 credential Credential issuer Internet Browser Service worker Web page JS front-end registers SW with browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

  7. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Identification request Service worker Web page JS front-end registers SW with browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

  8. Presentation of an X.509 credential Credential issuer Relying party Intercepted request not seen by issuer Internet Browser Service worker Web page JS redirection Redirected request intercepted by browser JavaScript localStorage X.509 certificate FIDO Authenticator Private key

  9. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Service worker Web page Consent request page generated by SW JavaScript localStorage X.509 certificate FIDO Authenticator Private key

  10. Presentation of an X.509 credential Credential issuer Relying party Internet Browser Service worker Web page JavaScript localStorage Proof of possession X.509 certificate FIDO Authenticator Private key

  11. Privacy-enhanced credentials A X.509 certificate binds the public key to the collection of user attributes A privacy-enhanced credential issues instead a selective disclosure certificate that binds the public key to an omission-tolerant checksum (OTC) of the attributes The OTC could be, e.g., the root-level of a typed hash tree This makes it possible to omit attributes when the credential is presented

  12. An alternative to Federated Authentication (e.g. SAML, OpenID Connect) In Federated Authentication, the Identity Provider (IdP) provides only the attributes requested by the Relying Party (RP), with user consent Alternative: IdP => Issuer of privacy enhanced credentials Credential request by RP is intercepted by service worker Service worker generates a consent page that provides the attributes that presents the credential to the RP, omitting attributes not requested by the IdP Explicit request for consent is optional; if omitted the service worker generated a JS-only page not seen by the user

  13. User-centric identity Identifier is email address provided by an Email Service Provider (ESP) Multiple personas => multiple email addresses User freely chooses ESP ESP issues privacy-enhanced credential Private key kept in platform authenticator of user s laptop or in security key Selective disclosure certificate binds public key to self-asserted attributes ESP provides UI that allows user to supply attributes and change them at any time Credential is reissued automatically when attributes change RP sends identification request to ESP, but request is intercepted by service worker in user s browser Unobservability: ESP learns nothing about the identification transaction Availability: ESP does not have to be online RP finds ESP s public key for credential verification and interceptable URL in DNS zone of ESP Authoritative attribute providers issue attribute certificates (no private key) that bind the email address to additional attributes and are obtained separately by the RP

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#