Trusted Computing and Identity Management Pave the Way for Web Services By Lark Allen

The Internet has created a sea of change for almost every individual, enterprise and government based on open access to information. Internet protocol has provided universal connectivity and the web technologies have enabled users to easily search, navigate and access the enormous volumes of data around the world. However, so far the most dramatic effects of this Internet revolution have been based on access to information that is either free or stolen. Anonymous access to open websites has driven the growth of applications such as news, shopping, email, product support, user groups, file sharing, and well as other core information access to the Internet.

The most important and valuable information still resides within protected locations such as corporate systems, service providers, government sites and proprietary applications. Access to these sites requires a known identity and valid authentication. The challenges with unlocking the value that is contained within these protected areas and creating new web services are being addressed by new solutions for identity management and trusted computing, along with important new standards for web services. In fact, providing new solutions for unlocking these assets has become the primary corporate focus for companies such as IBM with its Utility Computing theme, and Hewlett Packard’s Adaptive Enterprise initiatives.

Identity management is concerned with creating ways to efficiently utilize and provision identities to authorize access to multiple sites. Trusted computing is addressing the problem of authentication of identities as well as platform trustworthiness to protect the services and applications. For new web services to be successful, they must not only be easily accessible, but the identities of the participants must be provable, and the service must be protected. As the value of the services increase, the corresponding level of security and authentication must become stronger.

Trusted Relationships and Valuable Web Services
Trusted relationships between entities will be required to unlock the next generation of premium web services using the Internet. Trusted relationships will be created using identity management and trusted computing as the building blocks for the infrastructure that will be needed to access these services. The Internet has proven to be a hazardous environment for information that has value, requires proven integrity, is sensitive, must be protected, and needs controls in order to access it. Proven identities combined with strong authentication are the building blocks for enabling the following categories of web services.

1. Electronic transactions -- The identities of all parties must be authenticated, and the transaction must stand up to non-repudiation claims.
2. eSIGN documents -- Legally binding signatures, based on known identities with strong authentication, are required for web-enabling digital signature solutions.
3. Trusted workgroups and VPNs: Access control to protected resources and participation in core business processes -- from both inside and outside the organization -- requires identities with permissions and solid authentication.
4. Secure email without SPAM: The initiatives for caller-IDs for email to combat spam and make communications valuable again will need identity-based solutions with stronger authentication than user name and passwords.

Dr. Robert Thibadeau of Seagate Research, and board member of the Trusted Computing Group, has described the problem faced by Internet commerce solutions. “Security is required for complex trust relationships. Internet transactions, by their nature, are done at a distance, not face to face; therefore, the security requirements to protect the interests of every party in a digital transaction are even more important than in the physical world.”

The Identity and Password Puzzle
Today’s Internet makes it extremely easy to surf from site to site. Yet when there is no protection of the information, virtually every resource that provides important web services requires its own specific user identification and password. Identity and security have been tightly bound to the applications.

“Incredibly secure and trustworthy computer systems exist today, but they are largely independent, single-purpose systems that are meticulously engineered and then isolated,” explained Craig Mundie, the SVP and CTO at Microsoft.

The result is that today’s users have accumulated tens and even hundreds of separate sites where they must have an account (i.e. an identity) and maintain a separate password. As the business model of the Internet has evolved, even many sites that provide their content free still require the user to have an account and to login.

These vertical “silos” of controlled applications and services have resulted in significant barriers for both usability and integration across multiple systems in order to create new types of web services. This problem of boundaries shows up in many different forms, including the following:

1. Multiple internal divisions within an enterprise
2. Supply chain partners
3. Unified customer access to multiple applications
4. Integrating acquisitions
5. Industry associations
6. Cross industry applications and services
7. International organizations
8. Collaboration partners, such as universities and researchers

Standardization of Identity
Single sign-on has been an industry challenge for many years. It started out as primarily an enterprise problem for accessing multiple systems within a corporate network. However, the Internet’s universal connectivity has expanded the problem of single sign-on in many dimensions and made the challenge even more complex.

There are three primary initiatives underway to provide a set of new industry standards and specifications associated with identity management and federating identities. These include the Liberty Alliance, a broad-based organization consisting of major services and product companies along with technology vendors, which formed in October 2001. Liberty Alliance has focused on federated identity specifications to provide for simplified sign-on, which can now be extended for new identity-based services.

The OASIS standards organization has created an open specification called SAML (Security Assertion Markup Language) and finally, IBM, Microsoft and others are creating a robust family of specifications called Web Services, which includes identity, security and federation.

The early implementations of these new identity solutions based on the new specifications are underway. Comments from the initial implementers indicate that the technology issues are generally a minor element in the overall projects. Issues such as risk management, privacy, security, and legal concerns are turning out to be the major challenges. At the same time, the early results are encouraging. The benefits, ROI, and results that were anticipated are being realized. Based on these early successes, identity management solutions are one of the hottest investment areas for businesses.

Are You Who You Say You Are?
The finance industry has decades of experience with designing solutions for credit cards, ATMs, and banking that require customers to both provide and prove their identity. From the beginning, they learned that hardware security is a requirement for protecting “secrets” such as keys, passwords and PINs. Authentication of an individual’s identity almost always included two of the three elements of authentication: 1) something you have, such as a credit card or smart card; 2) something you know, such as a password or PIN; and 3) something you are, such as a driver’s license picture or biometric.

As Internet has evolved, the challenge of proving identity has become much more difficult. The security of applications, such as corporate virtual private networks with remote access and consumer transactions over the Internet, are dependent on having a security and provable identity.

Today, most authentications over the Internet are based on a single factor (a password) that is much more easily compromised. Consequently, the fraud rate for Internet transactions has skyrocketed and now represents more than 50 percent f all credit card fraud, even though the transactions are only 10 percent to 20 percent of total transactions. The majority of personal computer security attacks by viruses include a keystroke logger that specifically monitors for and copies account numbers and PINs that are entered into the keyboard. This information is then sent across the Internet to a site designated by the hackers.

For some kinds of services, it may not be necessary to know who the individual is, or perhaps may not even be legally required to protect the identity of the individual while authenticating the right to access information or a resource. The ability to provide anonymous, yet trusted, attestation is an important capability that is needed for some types of services.

In some cases the necessary authentication is for a credential proving membership in a group, employment by an enterprise, or having paid a subscription to a service. For example, a researcher at a university may have rights to a paid subscription to professional documents, based on the university having paid for membership to a consortium; access to the service would not be by an individual, but by providing an authenticated credential to access that service. For a number of healthcare applications, it may be required to give access to patients for information or resources without exposing their personal identity, while still assuring that they are authorized to have the specified assess. The balance of privacy and access control has created the need for new ways to manage identity and authentication, particularly in electronic network applications.

Hardware Based Authentication
It is very difficult, if not impossible, to protect information in a software-only environment. Frequent computer attacks and viruses are certainly evidence of this problem. Security experts have long known that hardware is the best way to protect secrets and as the basis to raise the overall level of security in a system.

The Trusted Computing Group (TCG) was formed in April 2003, with the mission to create open standards for security hardware in a wide range of platforms from personal computers to cell phones. The primary component that has been defined by TCG (www.trustedcomputinggroup.org) is called a Trusted Platform Module (TPM), which provides a low-cost hardware solution for adding security functions and including secure storage to devices. While the TPM can be used as a basic security building block for a wide range of functions -- such as protecting privacy, assuring platform integrity, and securing data -- one of its primary applications is to provide strong authentication, not only for the user, but also for the platform itself.

The user’s identity and credentials can be protected by the TPM hardware and secure storage, rather than being stored in software. In addition, the TPM can create Attestation Identity Keys (AIK) that can be used to provide the “what you have” as a key authentication element. Since AIK credentials can only be created by a known, trusted device, they cannot be copied and used by non-trusted devices. When combined with the user’s password or PIN, or even biometrics or smart cards, it is possible to provide multi-factor authentication to strengthen the overall security associated with user authentication.

Authentication + Identity=Value Level
Authentication proves who you are. Identity defines what actions you are authorized to perform or access. The identity management solutions being defined today are generally independent and agnostic to the method of authentication. The identity solution assumes there is a method of authentication that will be used for access to the identity permissions and directories; however, they don’t define the specific level of security associated with the authentication as the user enters the network.

The new specifications for sharing identity provide the mechanisms for communicating the original methods of authentication to any web site. This enables the service provider to determine if the level of security associated with the authentication to an identity provider is satisfactory for its needs, or if additional credentials or authentication must occur.

As an example, a user could log onto an Internet service provider account with his normal ID and password, and then click on his banking site to access an account. The ISP and the bank could share the identity information so users do not have to log onto the bank site separately. However, if the bank’s security policies require a stronger level of access control for authentication than the ISPs, users would be asked to provide the additional token (smart card) or PIN/password, for accessing bank accounts. As the overall value of the service increases, the level of security and strength of authentication will correspondingly increase.

A range of authentication classes have been defined to represent the types of authentication that are likely to be used to access identity information and services. While some authentication classes are not specifically defined by their security strength, (some are unique to specific devices such as cell phones), it is possible to generally view the options based on the security levels they provide. The following graphic, Figure 1, generally depicts these relationships of authentication classes.

Figure 1. Authentication Classes

Software
Password
Password w/SSL
Previous Session
(Cookies)
Smart Card
Smart Card
+
Password
Time-Sync Token
+
Password
Software PKI
Biometrics
+ Password
TPM
+ Password
/
Smart Card
/
Biometrics
Security
Hardware
Authentication Approaches



The TPM can itself be used as an authentication token as noted on the left where it provides the credentials for authentication either with or without a user password. The TPM can provide addition functions, such as secure storage for other credentials, like passwords and digital certificates, as well as provide the ability to measure and attest to the overall trustworthiness of the platform.

Based on these more advanced capabilities within a platform, it can actually provide a powerful approach to increasing the overall security of the authentication process, even with existing authentication approaches. In addition, a web service provider could inquire about the platform configuration and state of trustworthiness -- if the provider is concerned with having non-repudiation of a user’s identity and wants to know if the platform for which it is providing the service can be trusted enough to protect the service. Trustworthiness of the platform could be particularly useful for applications that include extremely sensitive data, access to highly protected resources, or high value transactions.

Strong Authentication Solution While the TPM can perform the security function of an authentication token in a highly secure manner, the real power of a TPM can be realized by strengthening the overall platform security and adding a hardware-based security token to every type of authentication, either user or platform. This role of the TPM is shown in Figure 2.

Figure 2: Authentication Approaches to Hardware Security

Password
Password w/SSL
Previous Session
(Cookies)
Smart Card
Smart Card
+
Password
Time-Sync Token
+
Password
Software PKI
Biometrics
+ Password
TPM
+ Password
/
Smart Card
/
Biometrics
Security
Hardware Security
Trusted Platform Module
Authentication Approaches


Summary
As the next generation of web services is developed based on unlocking access to valuable data, processes and services, it is clear that the new identity management solutions will be essential in breaking down the boundaries and barriers to access these resources. Strong authentication will be needed to create the trusted relationships and protect the interests of every party in these new web services. Anonymity and privacy to protect the rights of individuals are essential elements for the overall solutions that are being developed.

Providing these capabilities, while still controlling access to sensitive information and protecting resources is also a key element of these technologies. The Trusted Computing Group’s overall design objectives -- for the trusted hardware specifications it is developing -- provide the security building blocks for simultaneously achieving all these objectives.

About the Author
Lark Allen is Executive Vice President of Wave Systems Corp.

<< Previous Page