QT and the perimeter

Jeff Bohren, The Identity Management Expert at TalkBMC, makes a great point about what laptops mean and hits gold with Quantum Tunneling.

Kim Cameron has another interesting entry on Deperimeterization here. All of this got me to thinking about another aspect of perimeter security, and that is network location. People tend to think of computers as being logically located inside or outside of the security perimeter. Or more specifically people without laptops tend to think that. If you have a laptop, you quickly realize that you flip-flop between the state of being in and out of the perimeter on a daily basis, or more frequently is you use VPN.

I like the analogy of Quantum Tunneling (QT). One moment your laptop is outside the perimeter, the next it’s magically in. Then out again. QT in, QT out. Of course any malware your laptop picks up outside the perimeter will be carried in on the next trip in. This should really be the nail in the coffin of perimeter security thinking, but unfortunately it isn’t.

The QT analogy came to me because I have been reading Ilium by Dan Simmons (author of the Hyperion series). This SF novel combines The Illiad, QT, Greek Gods, a mostly depopulated Earth, a terraformed Mars, Little Green Men, and Jovian Cyborg buddies (one who likes Shakespeare and one who like Proust). I’m not done yet, so it will be interesting to see if Simmons can pull it all together at the end.

Here is the identity tie in. In Simmon’s future Earth, the few remaining inhabitants can teleport from place to place. It turns out that peoples bodies aren’t actually teleported. The body and brain waves are scanned at origin and that information is stored in a central computer. The body, thoughts, and clothing are reconstituted at the destination based on that information.

Teleportation of identity! Fascinating.

Jeff has definitely got it.

Identity – the toy model

I look forward to seeing Dave Kearns explore the notion of Legonics in an upcoming newsletter. As Dave explains – with his usual clarity:

This morning while delivering the opening keynote address for this year's Directory Experts Conference, Kim Cameron introduced me to a new term – “Legonics“.

This is a reference to the well-known building blocks, Legos, familiar to anyone under 40, and the parents of those under 40! The great thing about Legos is that any one piece can connect to any other piece. And while you can buy a small set that can build a particular object (such as a fire truck), the pieces in that set can be put together in different ways to build other objects or combined with other sets – or other loose pieces – to build completely different things. So by creating a Legonic Identity System (LIS?) we have one which can put together identity data in various ways to fit the conditions of the moment. Relying Parties, Identity Providers and User Agents can work together to construct sets of Identity Claims from all of the available pieces of identity data.

It's a good analogy, and a good paradigm, I think. I'll probably explore his more in the newsletter.

The fire truck link is fantastic, by the way.  Meanwhile, how about:

le·gon·ics: noun

  1. (used with a singular verb) the science dealing with the development and application of devices and systems that can be assembled through claims.
  2. (used with a plural verb) Legonic systems and devices:  The legonics aboard the new aircraft are very sophisticated.

Subject oriented programming

Here's a seminal posting by =kermit at a blog called Subjectivity – mapping the world of digital identity.  I buy into the “Subject Oriented Programming” idea – it's wonderful.

More than a decade ago I happened upon this programming language called C+-, pronounced “C, more or less”:

Unlike C++, C+- is a subject-oriented language. Each C+- class instance, known as a subject, holds hidden members, known as prejudices or undeclared preferences, which are impervious to outside messages, as well as public members known as boasts or claims.

Of course it was a joke and I laughed, but the joke stung a bit. It had occurred to me that a claims-based system like this could actually be useful. I had even come up with the name “subject-oriented” for it. So it hurt a bit to find the idea “out there” only as the butt of a joke.

Well, things have certainly changed since then. Today Kim Cameron posted an item titled “Identity systems all about making claims”, and linked to another article by NetworkWorld’s John Fontana which elaborates:

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth […]

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures. The Legonic identity system is rethinking what users know today, he said, and is defined by a set of claims one subject makes about another.

Formulations like this make it clear how fundamental the coming “identity revolution” in computing could be. The German philosopher Hans Blumenberg argued in his book The Legitimacy of the Modern Age that modern science emerged from the sterility of medieval Scholasticism precisely because of its “renunciation of exactitude.” In other words, modern science emerged by replacing the idea of “eternal truth” with that of subjective claims and methodical doubt as epitomized in Descartes.

This incorporation of uncertainty and error continued into the twentieth century with the discovery of statistical mechanics and quantum indeterminacy. Could computer science, with the discovery of digital identity, finally be leaving its own rigid Scholastic period behind as well?

Answer:  Yup.

Future of Active Directory

Here's a snippet from  another article by John Fontana that will be of interest to people wondering how much wood Microsoft is ready to put behind the claims based model.  Stuart Kwan has played a central role in the evolution of Active Directory and the emerging identity products: 

Las Vegas – Microsoft Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

“We are moving from being a directory provider to an identity provider,” said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft’s Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service (STS), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user’s access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today’s Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted “claim” or a set of claims about the user and his access rights.   (Continued here)

My one clarification is that neither Stuart nor I are talking about “Microsoft's” identity metasystem”.  We are trying to build an identity metasystem that stretches across vendors and platforms and products and countries.  We're trying to do our part within this metasystem. 

Identity systems all about making claims

Network World's excellent John Fontana has written about an opening keynote I gave recently at the Directory Experts’ Conference (DEC).   I was talking about claims, trying to start a conversation that I will pursue on my blog over the next while.

Las Vegas — The traditional concepts of authentication and authorization will eventually give way to an inclusive identity system where users will present claims that answer who they are or what they can do in order to access systems and content or complete transactions, according to Microsoft’s identity architect.

“This is happening now and all it needs to do is gain momentum,” said Kim Cameron, Microsoft’s identity architect, who gave the keynote address Monday to open NetPro’s Directory Experts Conference. He said the transformation to a claims-based identity model is 18-24 months away.

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth, typically a directory of user information.

“You need extroverted systems, not introverted,” said Cameron, who over the past few years has aligned Microsoft, its competitors and open source advocates around user-centric identity models.

He said identity systems that are rigid and cannot connect to other systems will become irrelevant and a competitive disadvantage.

“You may come with a claim that you are authorized to do something and it may not have any authentication [information] at all,” he said. “This tremendously important factor means we can have a consistent technology that goes between authentication and authorization. We don’t need all these different technologies and have all this new stuff to learn. It can all be done using the claims-based model.”

Cameron said this thinking is very different from a few years ago when authentication and authorization were thought of as entirely separate technologies that should never be confused.

He said the beauty of the claims model is that it can grow out of the infrastructure users have today, including PKI, directory services and provisioning systems.

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures.   (Continued here…)

RunAsRadio does CardSpace

Dana Epp runs SilverStr blog and is a security pro with passion and a real handle on CardSpace and Information Cards.  Richard Campbell and Greg Hughs have the new radio blog called RunAsRadio.  The trio come through as likeable and relevant in the podcast Dana describes here:

Recently I was interviewed by Richard Campbell and Greg Hughs on RunAsRadio. You might have heard of Richard… he's also the host of .Net Rocks!. Where .NET Rocks! is for developers, RunAsRadio is for IT Pros.

Anyways, if you would like to listen to the interview we did on CardSpace, you can download it here. Its about a half hour long, and is a simple introduction to the world of Cardspace, atleast for the client side perspective.

For those already versed in the subject, you will notice a few term definition problems in the interview. It went by so fast, and I didn't make it clear what I was getting at. For those that don't know, here is a primer that may help understand how I talk about digital identity:

  • InfoCard : An information card. The previous code name for Cardspace [but now the name of the underlying technology – Kim]
  • Identity Card: Generic term to mean a piece of digital information that represents your identity [definition not recommended – Kim]
  • Identity Provider: As the name implies, a provider of one's digital identity.
  • Relying Party: A system/application that relies on a digital identity for authentication, and possibly authorization. It is up to this party to decide which Identity Provider(s) it is willing to trust. ie: Web site, LOB app etc
  • Claim: An assertion of a piece of information belonging to an identity. ie: username, password, age, phone number etc.
  • Wallet: A piece of software that holds Identity Cards. Vista ships with a wallet that holds Information Cards. You can also download it for XP.

In a couple of places I used the term “credential” where I was really talking about “claims”. And in passing it may sound like I was saying its the Identity Providers (IdP) role to decide who to trust. That didn't come out right. It is up to the relying party to decide which IdP it wishes to trust. In some cases, it will trust you, because you act as the provider. How? Because when you create a a self-issued card and submit it, you are asserting you are who you say you are. It won't be as trusted as much as say… a government IdP. But you get the point. I hope Kim doesn't think about throwing a brick at my head if he hears the interview 🙂 [I love the interview – no brick – Kim]

Anyways, fun interview. Richard and Greg have asked me to come back and do another one where we can explore the server side of things… and discuss how Relying Parties and Identity Providers really work. We may even get into some discussion about Longhorn server and some of the interesting bits there that can be leveraged for the new digital identity ecosystem. Until then… enjoy!

Actually, Dana is remarkably precise while still being interesting.  He has made even the hardest leap – separating credentials from claims cleanly enough that he catches himself when at one point he starts to slip.

In the interview Dana says “InfoCards”, and uses the word properly – to refer to the the technology we are working on across the industry.  “Windows CardSpace”, on the other hand, is the name of the Microsoft implementation of this technology. 

I take full responsibility for confusing everyone in this regard – and apologize to Dana and all my readers – because early in the product cycle I conflated our proposed technology ideas and our Microsoft implementation.  Over time we've become very crisp about our usage.  CardSpace is the way we store Information Cards on Windows; people abbreviate Information Cards into “InfoCards”. 

I do not use and do not like the phrase “Identity Cards” when talking about digital identity. 

“Identity Cards” conjure up government-issued citizen identities.  While  government cards are a legitimate notion when interacting with government sites, we don't want to imply that government-issued identities should be used everywhere or for everything!  People need to be able to assert different identities and decide which ones they want to pull out of their “wallets” – just as they do in the physical world.

But I nit-pick.  If you want to learn about CardSpace and Information Cards, check out this interview.

The dissolving perimeter

The perimeter of the enterprise is dissolving in an environment requiring greater collaboration, oursourcing and integration with both suppliers and customers.  But Consentry's recent report shows that most IT leaders perceive that “external” threats come from inside the enterprise itself… 

Increasing network user diversity is raising concerns that there is a need for a more dynamic approach to LAN security. The following report tackles this issue, advocating an identity-based approach to managing users on the network.

The key drivers for focusing on network security from a user perspective come from the level of transitory, or non-permanent, workers who access network environments on a daily basis. The research found a significant majority of respondents seeing the following groups as a threat to the network:

  • Temporary workers (62%)
  • Guest users (54%)
  • Contractors (51%)

With 82 percent of businesses in the survey saying they have moderate to high levels of nonpermanent workers accessing the network, it appears that the changing shape of the workforce is a contentious issue for security professionals.

Further highlights from the research are as follows:

  • 87% of respondents state that they have multiple levels of user access
  • 82% of respondents recognise the need to increase network security
  • 95% believe there is an increased need for the use of identity-based control
  • 41% of businesses do not have up-to-date network access
  • 65% acknowledge that network access is becoming more diverse and difficult to manage

Download the report here.

CardSpace and OpenSSO

The Sun Developer Network has published an article by Martin Gee entitled Securing Site Access with CardSpace and OpenSSO:

With today's ever-increasing demands for robust security software and systems, alternative authentication and trust mechanisms are gaining popularity. In particular, the user name-password authentication model is typically the root cause of many security frauds. Why? First, many of us record passwords somewhere, rendering them vulnerable for snooping. Second, our tendency to create passwords that are easy to remember makes them easy to be guessed or detected. Consequently, enterprises that have established processes along that model are looking for ways to better safeguard and optimize their systems without major overhauls.

Enter Windows CardSpace (henceforth, CardSpace), a Microsoft-led specification that has been gaining recognition over the past months. CardSpace defines a simplified paradigm that employs a security token called InfoCard for managing digital credentials and is available in Windows XP and Vista.

OpenSSO is Sun's open Web access management project based on Sun Java System Access Manager source code. As part of the open-source Project CardSpace on java.net, ICSynergy has extended OpenSSO to include CardSpace as a simple authentication module. In addition, ICSynergy offers a commercial CardSpace implementation for OpenSSO and Sun Java System Access Manager along with training programs.

This article describes the benefits, basic architecture, and process flow of the CardSpace-OpenSSO authentication module.

It is good to see things coming together across the “crevasses” that used to separate different industry forces.  If you do Java you should look at the Project CardSpace site.

Secret weapon against high tech

Thanks to Lars Iwer, a story from The Independent on breaching the invincible to get at the Crown Jewels.  By the way, how much does 120,000 carats weigh?  Answer here.  That's one big ring.

A thief has evaded one of the world's most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds – thanks to a secret weapon rarely used on bank staff: personal charm.

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

Now, embarrassed bank staff in Belgium's second city are wondering how they had been hoodwinked into giving a man with a false Argentine passport access to their vaults.

The prime suspect had been a regular customer at the bank for the past year, giving his name as Carlos Hector Flomenbaum from Argentina. The authorities, who have offered a €2m reward for information leading to an arrest, now know that a passport in that name was stolen in Israel a few years ago. Although not familiar to the local diamond dealers, the conman became one of several trusted traders given an electronic card to access the bank vault. The heist, believed to have been more than a year in the planning, has astounded diamond dealers.


Being psychic, I sense a movie coming.

Token Decryption Service for CardSpace

Via Richard Turner's blog, the announcement of an architecturally superior  token decryption component devised by Dominick Baier at leastprivilege.com

Dominick  and Richard have blogged previously about mitigating the dangers involved in allowing web middleware and front-end software to process encrypted payloads.  Decrypting a payload involves access to a private key.  The broader the range of applications that can get to the key, the greater the attack surface.  This led to discussions about:

  1. Re-factoring the token decryption code into an assembly that runs under full trust whilst the site runs under partial trust
  2. Building a Token Decryption Service to which you can pass your encrypted blob and you get back a list of claims, PPID and issuer key.

And that is exactly the problem Dominick has tackled:

Web Applications that want to decrypt CardSpace tokens need read access to the SSL private key. But you would increase your attack surface tremendously if you directly grant this access to the worker process account of your application. I wrote about this in more detail here and Richard Turner followed up here.

Together with my colleagues at Thinktecture (thanks Christian and Buddhike for code reviewing and QA) I wrote an out-of-proc token decryption service that allows decrypting tokens without having to have direct access to the private key in the application, the idea is as follows:

Your web application runs under its normal least privilege account with no read access to the private key. The token decryption service runs as an NT service on the same machine under an account that has read access. Whenever the application has to decrypt a token, it hands the encrypted token to the token decryption service which (in this version) simply uses the TokenProcessor to return a list of claims, a unique ID and the issuer key.

The token decryption service is implemented as a WCF service that uses named pipes to communicate with the applications. To make sure that only authorized applications can call into the service, the application(s) have to be member of a special Windows group called “TokenDecryptionUsers” (can be changed in configuration to support multiple decryption services on the same machine). I also wrote a shim for the WCF client proxy that allows using this service from partially trusted web applications.

The download contains binaries, installation instructions and the full source code. I hope this helps CardSpace adopters to improve the security of their applications and servers. If you have any comments or questions – feel free to contact me.

The approach is a good example of the “alligators and snakes” approach I discussed here recently.