Kapil Sachdeva's Blog - SmartCard Serenity

http://www.ovum.com/news/euronews.asp?id=3636

Key Points:

• Identity management has been the fastest growing security sector, and we are pleased to report good progress in getting acceptance of the Liberty Alliance and SAML 2 standards. 
• Identity management will become even more prominent, but in the enterprise space it will mostly be intra-enterprise, with inter-enterprise initiatives, which are still a couple of years away.
• Much faster development of identity and identification infrastructure in the government sector, both for law enforcement and for accessing public services.

A very interesting example from Kim Cameron on the use of InfoCards to send the credit-card number. To make it more interesting and validating the philosophy of InfoCard system being user centric and not PC centric and its extensibility I can give one more scenario regarding payment cards. As I wrote in entries here and here InfoCard sees the security device like Smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions and so in the picture the identity provider (bank) can be replaced by the Smartcard (actually the bank issued you the Smartcard as its offline representative). Instead of downloading the one time credit card identity token from the user's bank, the InfoCard system request the Smartcard (PSTS) for SAML assertion (security token) which would contain the credit card number (can be one time valid or static), attributes of user such as name, billing address etc. Of course assertion would be digitally signed (XML signature) & encrypted (XML Encryption or SSL) and would be validated by bank once transaction is sent by the shopping site.

You can appreciate that fact that the sensitive data like credit card number, expiration etc is not on your PC but on Smartcard and you avoid a round trip to Identity provider. Smartcard as PSTS not only enable the transactions on PC but also can be used in Kiosk, ATM etc thanks to its mobility aspect. Automation (no need to type the details on web forms), good user experience and security are achieved in this model.

James McGovern recently asked "How should we think about SmartCards within our own infrastructure and how it plays with federated identity?". I have been talking about the demos we have done with Smartcard in Identity management space but never really talked about the essence of using Smartcards in this domain. I take this oppurtunity to try to explain how Smartcard plays a vital role in federated identity.

Identity federation although new to Internet (www) and world of web services, is not a new concept for the Smartcards. Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM. It is this small computer which enables the roaming in the GSM network and let us make use of our mobile phones at places where our operators do not have presence. GSM was devised with the core objective of business harmonization - "you can use my network even though your are a subscriber of another network in another country" which required technical harmonization. Problem is that network 1 does not have an account for you and cannot bill you but they can get your and your operator's (network 2) identity from the phone and ask your operator if they will pay the charges. Of course the operator would want a strong proof of if you are you and not somebody who has stolen your account number. Need is to have a strong authentication for eg using shared key cryptographic where there are exactly 2 copies of secret key - one residing in mobile phone and other at operator's end. The figure below illustrate how a basic GSM authentication is done (it is actually more complicated but for simplicity I am giving this example) :

Basically the user's network sends a random number and result after its encryption with shared key to the visiting network and says that if user's phone gives the same encryption result for the random number I will pay the bill. As you can see there is not only a requirement of strong authenitcation but secure storage of shared key (not even accessible to user) and what better technology to use than Smartcard which has the secure, tamper resistant hardware and secure computing capabilities. Computing capabilities are equally important as it is of no use storing the key in Smartcard and giving it to phone for performing cryptographic operation.

Now federated identity for intrenet and intratnet are no different conceptually than the case that I presented. Only the protocols (SAML, WS-Trust etc) used by service providers and identity providers on www are different for obvious reasons. In today's internet the identity of user is of prime interest both to user and to the service provider and hence the need of Strong authentication.

Fortunately various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.

Other than Strong authentication, secure storage of attributes/credentials and computing capability, mobile nature of Smartcards is an added advantage for user.