Subject oriented programming

Here's a seminal posting by =kermit at a blog called Subjectivity – mapping the world of digital identity.  I buy into the “Subject Oriented Programming” idea – it's wonderful.

More than a decade ago I happened upon this programming language called C+-, pronounced “C, more or less”:

Unlike C++, C+- is a subject-oriented language. Each C+- class instance, known as a subject, holds hidden members, known as prejudices or undeclared preferences, which are impervious to outside messages, as well as public members known as boasts or claims.

Of course it was a joke and I laughed, but the joke stung a bit. It had occurred to me that a claims-based system like this could actually be useful. I had even come up with the name “subject-oriented” for it. So it hurt a bit to find the idea “out there” only as the butt of a joke.

Well, things have certainly changed since then. Today Kim Cameron posted an item titled “Identity systems all about making claims”, and linked to another article by NetworkWorld’s John Fontana which elaborates:

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth […]

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures. The Legonic identity system is rethinking what users know today, he said, and is defined by a set of claims one subject makes about another.

Formulations like this make it clear how fundamental the coming “identity revolution” in computing could be. The German philosopher Hans Blumenberg argued in his book The Legitimacy of the Modern Age that modern science emerged from the sterility of medieval Scholasticism precisely because of its “renunciation of exactitude.” In other words, modern science emerged by replacing the idea of “eternal truth” with that of subjective claims and methodical doubt as epitomized in Descartes.

This incorporation of uncertainty and error continued into the twentieth century with the discovery of statistical mechanics and quantum indeterminacy. Could computer science, with the discovery of digital identity, finally be leaving its own rigid Scholastic period behind as well?

Answer:  Yup.

Future of Active Directory

Here's a snippet from  another article by John Fontana that will be of interest to people wondering how much wood Microsoft is ready to put behind the claims based model.  Stuart Kwan has played a central role in the evolution of Active Directory and the emerging identity products: 

Las Vegas – Microsoft Tuesday laid out a vision for Active Directory in which it will take on a major role in pushing out user identity data to applications and securing collaboration between users.

“We are moving from being a directory provider to an identity provider,” said Stuart Kwan, director of program management for identity and access at Microsoft, during the second day keynote at the annual NetPro Directory Experts Conference.

He said the benefit for corporate users would be a standard user access mechanism that would benefit application development, access management and allow companies to more easily spread their identity systems.

Kwan concluded that Active Directory was so close to fulfilling its original goals as a trusted directory service for corporate users that it was time to look ahead and envision the next set of challenges.

The new challenges, Kwan said, will put the directory in a key role in Microsoft’s Identity Metasystem, a model for distributed identity architecture. Coupled with an emerging technology called Security Token Service (STS), which handles the exchange of identity data, Microsoft envisions an architecture that pushes identity data out to applications that know how to interpret and act upon that data.

Today, applications typically pull user access data from the directory to determine a user’s access rights. The push model not only affords network efficiencies but more easily ties identity and application development, puts less stress on the directory, provides more flexibility in defining a user and their rights and gives the ability to federate identity with those outside the corporate network.

Kwan said the push mechanism would be similar to the way group membership data for a user is automatically included in today’s Kerberos authentication process.

In the future, identity data coming from the directory would be transformed by the STS gateway into a properly formatted “claim” or a set of claims about the user and his access rights.   (Continued here)

My one clarification is that neither Stuart nor I are talking about “Microsoft's” identity metasystem”.  We are trying to build an identity metasystem that stretches across vendors and platforms and products and countries.  We're trying to do our part within this metasystem. 

Identity systems all about making claims

Network World's excellent John Fontana has written about an opening keynote I gave recently at the Directory Experts’ Conference (DEC).   I was talking about claims, trying to start a conversation that I will pursue on my blog over the next while.

Las Vegas — The traditional concepts of authentication and authorization will eventually give way to an inclusive identity system where users will present claims that answer who they are or what they can do in order to access systems and content or complete transactions, according to Microsoft’s identity architect.

“This is happening now and all it needs to do is gain momentum,” said Kim Cameron, Microsoft’s identity architect, who gave the keynote address Monday to open NetPro’s Directory Experts Conference. He said the transformation to a claims-based identity model is 18-24 months away.

Cameron said the flexible claims architecture, which is based on standard protocols such as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML) will replace today’s more rigid systems that are based on a single point of truth, typically a directory of user information.

“You need extroverted systems, not introverted,” said Cameron, who over the past few years has aligned Microsoft, its competitors and open source advocates around user-centric identity models.

He said identity systems that are rigid and cannot connect to other systems will become irrelevant and a competitive disadvantage.

“You may come with a claim that you are authorized to do something and it may not have any authentication [information] at all,” he said. “This tremendously important factor means we can have a consistent technology that goes between authentication and authorization. We don’t need all these different technologies and have all this new stuff to learn. It can all be done using the claims-based model.”

Cameron said this thinking is very different from a few years ago when authentication and authorization were thought of as entirely separate technologies that should never be confused.

He said the beauty of the claims model is that it can grow out of the infrastructure users have today, including PKI, directory services and provisioning systems.

The claims model, he said, is more flexible and based on components that can be snapped together like Lego blocks. Cameron called them Legonic Systems, which, he said, are agile and self-organizing much like service-oriented architectures.   (Continued here…)

RunAsRadio does CardSpace

Dana Epp runs SilverStr blog and is a security pro with passion and a real handle on CardSpace and Information Cards.  Richard Campbell and Greg Hughs have the new radio blog called RunAsRadio.  The trio come through as likeable and relevant in the podcast Dana describes here:

Recently I was interviewed by Richard Campbell and Greg Hughs on RunAsRadio. You might have heard of Richard… he's also the host of .Net Rocks!. Where .NET Rocks! is for developers, RunAsRadio is for IT Pros.

Anyways, if you would like to listen to the interview we did on CardSpace, you can download it here. Its about a half hour long, and is a simple introduction to the world of Cardspace, atleast for the client side perspective.

For those already versed in the subject, you will notice a few term definition problems in the interview. It went by so fast, and I didn't make it clear what I was getting at. For those that don't know, here is a primer that may help understand how I talk about digital identity:

  • InfoCard : An information card. The previous code name for Cardspace [but now the name of the underlying technology – Kim]
  • Identity Card: Generic term to mean a piece of digital information that represents your identity [definition not recommended – Kim]
  • Identity Provider: As the name implies, a provider of one's digital identity.
  • Relying Party: A system/application that relies on a digital identity for authentication, and possibly authorization. It is up to this party to decide which Identity Provider(s) it is willing to trust. ie: Web site, LOB app etc
  • Claim: An assertion of a piece of information belonging to an identity. ie: username, password, age, phone number etc.
  • Wallet: A piece of software that holds Identity Cards. Vista ships with a wallet that holds Information Cards. You can also download it for XP.

In a couple of places I used the term “credential” where I was really talking about “claims”. And in passing it may sound like I was saying its the Identity Providers (IdP) role to decide who to trust. That didn't come out right. It is up to the relying party to decide which IdP it wishes to trust. In some cases, it will trust you, because you act as the provider. How? Because when you create a a self-issued card and submit it, you are asserting you are who you say you are. It won't be as trusted as much as say… a government IdP. But you get the point. I hope Kim doesn't think about throwing a brick at my head if he hears the interview 🙂 [I love the interview – no brick – Kim]

Anyways, fun interview. Richard and Greg have asked me to come back and do another one where we can explore the server side of things… and discuss how Relying Parties and Identity Providers really work. We may even get into some discussion about Longhorn server and some of the interesting bits there that can be leveraged for the new digital identity ecosystem. Until then… enjoy!

Actually, Dana is remarkably precise while still being interesting.  He has made even the hardest leap – separating credentials from claims cleanly enough that he catches himself when at one point he starts to slip.

In the interview Dana says “InfoCards”, and uses the word properly – to refer to the the technology we are working on across the industry.  “Windows CardSpace”, on the other hand, is the name of the Microsoft implementation of this technology. 

I take full responsibility for confusing everyone in this regard – and apologize to Dana and all my readers – because early in the product cycle I conflated our proposed technology ideas and our Microsoft implementation.  Over time we've become very crisp about our usage.  CardSpace is the way we store Information Cards on Windows; people abbreviate Information Cards into “InfoCards”. 

I do not use and do not like the phrase “Identity Cards” when talking about digital identity. 

“Identity Cards” conjure up government-issued citizen identities.  While  government cards are a legitimate notion when interacting with government sites, we don't want to imply that government-issued identities should be used everywhere or for everything!  People need to be able to assert different identities and decide which ones they want to pull out of their “wallets” – just as they do in the physical world.

But I nit-pick.  If you want to learn about CardSpace and Information Cards, check out this interview.

The dissolving perimeter

The perimeter of the enterprise is dissolving in an environment requiring greater collaboration, oursourcing and integration with both suppliers and customers.  But Consentry's recent report shows that most IT leaders perceive that “external” threats come from inside the enterprise itself… 

Increasing network user diversity is raising concerns that there is a need for a more dynamic approach to LAN security. The following report tackles this issue, advocating an identity-based approach to managing users on the network.

The key drivers for focusing on network security from a user perspective come from the level of transitory, or non-permanent, workers who access network environments on a daily basis. The research found a significant majority of respondents seeing the following groups as a threat to the network:

  • Temporary workers (62%)
  • Guest users (54%)
  • Contractors (51%)

With 82 percent of businesses in the survey saying they have moderate to high levels of nonpermanent workers accessing the network, it appears that the changing shape of the workforce is a contentious issue for security professionals.

Further highlights from the research are as follows:

  • 87% of respondents state that they have multiple levels of user access
  • 82% of respondents recognise the need to increase network security
  • 95% believe there is an increased need for the use of identity-based control
  • 41% of businesses do not have up-to-date network access
  • 65% acknowledge that network access is becoming more diverse and difficult to manage

Download the report here.

CardSpace and OpenSSO

The Sun Developer Network has published an article by Martin Gee entitled Securing Site Access with CardSpace and OpenSSO:

With today's ever-increasing demands for robust security software and systems, alternative authentication and trust mechanisms are gaining popularity. In particular, the user name-password authentication model is typically the root cause of many security frauds. Why? First, many of us record passwords somewhere, rendering them vulnerable for snooping. Second, our tendency to create passwords that are easy to remember makes them easy to be guessed or detected. Consequently, enterprises that have established processes along that model are looking for ways to better safeguard and optimize their systems without major overhauls.

Enter Windows CardSpace (henceforth, CardSpace), a Microsoft-led specification that has been gaining recognition over the past months. CardSpace defines a simplified paradigm that employs a security token called InfoCard for managing digital credentials and is available in Windows XP and Vista.

OpenSSO is Sun's open Web access management project based on Sun Java System Access Manager source code. As part of the open-source Project CardSpace on java.net, ICSynergy has extended OpenSSO to include CardSpace as a simple authentication module. In addition, ICSynergy offers a commercial CardSpace implementation for OpenSSO and Sun Java System Access Manager along with training programs.

This article describes the benefits, basic architecture, and process flow of the CardSpace-OpenSSO authentication module.

It is good to see things coming together across the “crevasses” that used to separate different industry forces.  If you do Java you should look at the Project CardSpace site.

Secret weapon against high tech

Thanks to Lars Iwer, a story from The Independent on breaching the invincible to get at the Crown Jewels.  By the way, how much does 120,000 carats weigh?  Answer here.  That's one big ring.

A thief has evaded one of the world's most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds – thanks to a secret weapon rarely used on bank staff: personal charm.

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

Now, embarrassed bank staff in Belgium's second city are wondering how they had been hoodwinked into giving a man with a false Argentine passport access to their vaults.

The prime suspect had been a regular customer at the bank for the past year, giving his name as Carlos Hector Flomenbaum from Argentina. The authorities, who have offered a €2m reward for information leading to an arrest, now know that a passport in that name was stolen in Israel a few years ago. Although not familiar to the local diamond dealers, the conman became one of several trusted traders given an electronic card to access the bank vault. The heist, believed to have been more than a year in the planning, has astounded diamond dealers.

(Continues…)

Being psychic, I sense a movie coming.

Token Decryption Service for CardSpace

Via Richard Turner's blog, the announcement of an architecturally superior  token decryption component devised by Dominick Baier at leastprivilege.com

Dominick  and Richard have blogged previously about mitigating the dangers involved in allowing web middleware and front-end software to process encrypted payloads.  Decrypting a payload involves access to a private key.  The broader the range of applications that can get to the key, the greater the attack surface.  This led to discussions about:

  1. Re-factoring the token decryption code into an assembly that runs under full trust whilst the site runs under partial trust
  2. Building a Token Decryption Service to which you can pass your encrypted blob and you get back a list of claims, PPID and issuer key.

And that is exactly the problem Dominick has tackled:

Web Applications that want to decrypt CardSpace tokens need read access to the SSL private key. But you would increase your attack surface tremendously if you directly grant this access to the worker process account of your application. I wrote about this in more detail here and Richard Turner followed up here.

Together with my colleagues at Thinktecture (thanks Christian and Buddhike for code reviewing and QA) I wrote an out-of-proc token decryption service that allows decrypting tokens without having to have direct access to the private key in the application, the idea is as follows:

Your web application runs under its normal least privilege account with no read access to the private key. The token decryption service runs as an NT service on the same machine under an account that has read access. Whenever the application has to decrypt a token, it hands the encrypted token to the token decryption service which (in this version) simply uses the TokenProcessor to return a list of claims, a unique ID and the issuer key.

The token decryption service is implemented as a WCF service that uses named pipes to communicate with the applications. To make sure that only authorized applications can call into the service, the application(s) have to be member of a special Windows group called “TokenDecryptionUsers” (can be changed in configuration to support multiple decryption services on the same machine). I also wrote a shim for the WCF client proxy that allows using this service from partially trusted web applications.

The download contains binaries, installation instructions and the full source code. I hope this helps CardSpace adopters to improve the security of their applications and servers. If you have any comments or questions – feel free to contact me.

The approach is a good example of the “alligators and snakes” approach I discussed here recently.

Weaknesses of Strong Authentication?

Here is a piece by Robert Richardson from the CSI Blog .  He discusses what one of his colleages calls “some of the weaknesses or downright drawbracks of strong authentication methods”:

There's this author named Kathy Siena who's currently at the center of one of those firestorms that break out on the Web now and again. Some threatening material regarding her was posted on the Web, she blames some fairly prominent bloggers of being involved in one way or another, and the rest seems to be finger pointing and confusion.

One detail of the saga worth considering is that one of the implicated bloggers claims that actions were taken by someone using his identity and access to his passworded accounts (this is quoted from Kim Cameron's Blog):

I am writing this from a new computer, using an email address that will be deleted at the end of this.I am no longer me. My main machine despite my best efforts has been hacked, my accounts compromised including my email. and has been disconnected from the internet.

How did this happen? When did this happen?

This is, to be sure, something of doomsday scenario for an individual user–the complete breach of one's identity across all the systems one uses and cares about (I'm assuming that the person in question, Allen Harrell, is telling the truth about being hacked).

Kim Cameron writes this on his blog:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder – assuming we get to the point where our blogging software is safe too.

But I'm not convinced of this for a couple of reasons. First, Information Cards may or may not make breaking into someone's site unbelievably harder. Hackers sidestep the authentication process (strong or otherwise) all the time. Second, the perception of super-duper strong identity management may make it harder to prove that one's identity was in fact hacked.

InfoCard credentials are only more reliable if the system where they are being used is highly secure. If I'm using a given highly trusted credential from my system, but my system has been compromised, then the situation just looks worse for me when people start accusing me of misdeeds that were carried out in my name.

Many discussions about better credentialing begin from an underlying presumption that there will be a more secure operating system providing protection to the credentials and the subsystem that manages them. But at present, no one can point to that operating system. It certainly isn't Vista, however much improved its security may be.

Designing for Breach

I agree with Robert that credentials are only part of the story.  That's why I said, “assuming we get to the point where our blogging software is safe too.” 

Maybe that sounds simplistic.  What did I mean by “safe”? 

I'll start by saying I don't believe the idea of an unbreachable system is a useful operational concept.  If we were to produce such a system, we wouldn't know it.  The mere fact that a system hasn't been breached, or that we don't know how it could be, doesn't mean that a breach is not possible.  The only systems we can build are those that “might” be breached.

The way to design securely is to assume your system WILL be breached and create a design that mitigates potential damage.  There is nothing new in this – it is just risk management applied to security.

As a consequence, each component of the system must be isolated – to the extent possible –  in an attempt to prevent contagion from compromised pieces.

Security Binarism versus Probabilities

I know Robert will agree with me that one of the things we have to avoid at all costs is “security binarism”.  In this view, either something is secure or it isn't secure.  If its adherants can find any potential vulnerability in something, they conclude the whole thing is vulnerable, so we might as well give up trying to protect it.  Of course this isn't the way reality works – or the way anything real can be secured.

Let's use the analogy of physical security.  I'll conjure up our old friend, the problem of protecting a castle. 

You want a good outer wall – the higher and thicker the better.  Then you want a deep moat – full of alligators and poisonous snakes.  Why?  If someone gets over the wall, you want them to have to cross the moat.  If they don't drown in the moat, you want them to be eaten or bitten (those were the days!)  And after the moat, you would have another wall, with places to launch boiling oil, shoot arrows, and all the rest.  I could go on, but will spare you the obviousness of the excercise.

The point is, someone can breach the moat, but will then hit the next barrier.  It doesn't take a deep grasp of statistics to see that if there is a probability of breach associated with each of these components, the probability of breaking through to the castle keep is the product of all the probabilities.  So if you have five barriers, then even if each has a very high probability of breach (say 10%), the overall probability of breaking through all the barriers is just .001%.  This is what lies behind the extreme power of combining numerous defences – especially if breaking through each defence requires completely unrelated skills and resources.

But despite the best castle design, we all know that the conquering hero can still dress up as a priest and walk in through the drawbridge without being detected (I saw the movie).  In other words, there is a social engineering attack.

So, CardSpace may be nothing more than a really excellent moat.  There may be other ways into the castle.  But having a really great moat is in itself a significant advance in terms of “defence in depth”. 

Beyond that, Information Cards begin to frame many questions better than they have been framed in the past – questions like, “Why am I retaining data that creates potential liability?”

In terms of Robert's fear that strong authentication will lead to hallucinations of non-repudiation, I agree that this is a huge potential problem.   We need to start thinking about it and planning for it now.  CSI can play an important role in educating professionals, government and citizens about these issues. 

I recently expanded on these ideas here.

Personal data on 2.9 million people goes missing

Joris Evers at CNet has done a nice wrap-up on the latest identity catastrophy.  (Plumes of smoke were seen coming from the reactor, but so far, there has been no proof of radioactive particles leaking into the environment): 

A CD containing personal information on Georgia residents has gone missing, according to the Georgia Department of Community The CD was lost by Affiliated Computer Services, a Dallas company handling claims for the health care programs, the statement said. The disc holds information on 2.9 million Georgia residents, said Lisa Marie Shekell, a Department of Community Health representative.

It is unclear if the data on the disc, which was lost in transit some time after March 22, was protected. However, it doesn't appear the data has been used fraudulently. “At this time, we do not have any indication that the information on the disk has been misused,” Shekell said.

In response to the loss, the Georgia Department of Community Health has asked ACS to notify all affected members in writing and supply them with information on credit watch monitoring as well as tips on how to obtain a free credit report, it said.  [Funny – I get junk mail with this offer every few days – Kim] 

There has been a string of data breaches in recent years, many of which were reported publicly because of new disclosure laws. About 40,000 Chicago Public Schools employees are at risk of identity fraud after two laptops containing their personal information were stolen Friday.

Last week, the University of California at San Francisco said a possible computer security breach may have exposed records of 46,000 campus and medical center faculty, staff and students.

Since early 2005, more than 150 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

Identity fraud continues to top the complaints reported to the Federal Trade Commission. Such complaints, which include credit card fraud, bank fraud, as well as phone and utilities fraud, accounted for 36 percent of the total 674,354 complaints submitted to the FTC and its external data contributors in 2006.