RealMe vs CardSpace, OpenID & X.

509

Overview

The Identity and Access Management world is buzzing with new ideas including a
promising technology called OpenID. The hope of OpenID is that a user can have
one place they log into on the internet for their entire web browsing needs thus
simplifying the current sea of username/passwords that users and websites keep
track of.

This white paper explores the practical side of OpenID and related technologies
from a Software as a Service vendor’s point of view. CardSpace from Microsoft and
SAML relationships in general are discussed with advantages and challenges of each
technology offered.
Finally, the RealMe authentication system from GlobalCrypto is presented.

OpenID

Open ID is a shared identity service, which allows Internet users to log on to

many different web sites using a single digital identity, single sign-on,
eliminating the need for a different user name and password for each site. OpenID
is a decentralized, free and open standard that lets users control the amount of
personal information they provide.

An OpenID is in the form of a URL. This URL can be the domain name of your own
website, or the URL of an OpenID identity provider. When you log in with an
OpenID, you have to log in to the identity provider for validation.

Using OpenID-enabled sites, web users do not need to remember traditional items of
identity such as username and password. Instead, they only need to be registered
with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any
website can use OpenID as a way for users to sign in; OpenID does not require a
centralized authority to confirm a user's digital identity.

Windows CardSpace

CardSpace (codenamed InfoCard), is Microsoft's client software for the Identity

Metasystem. CardSpace is an instance of a class of identity client software called
an Identity Selector. CardSpace stores references to users' digital identities for
them, presenting them to users as visual Information Cards. CardSpace provides a
consistent UI that enables people to easily use these identities in applications
and web sites where they are accepted.

Observations on CardSpace & OpenID

At first glance OpenID solves a very prominent problem on the internet: Users have
too many passwords to remember. The promise of OpenID is to allow a single
credential to be used as your authentication for many (all?) of your internet
interactions. Card Space seeks to extend simple authentication by attaching
attributes to your identity such as physical location and age and makes the OpenID
solution a little more flexible yet fuzzy at the same time.

Note that when you use CardSpace you are still required to authenticate to the
Identity Provider!

A Practical Engineer’s impression of the OpenID system is that there are a lot of
moving parts. A Service Provider has to redirect initial requests for service to
a second party which performs authentication of the end user. This second party
may be an Identity Provider or in the case of CardSpace, another layer of
indirection to a third party which must be chosen by the user at runtime based on
a selection of possible third party ID providers of information. These types of
user-centric identity systems do not offer server-side revocability of credentials
and in the case of Card Space are not uniformly cross platform, do not feature
exportability/mobility of credentials, use the same cryptographic keys for all
services, cannot provide bi-directional trust even while requiring HTTPS, and
largely force implementation on .NET platforms.

The real drawback to OpenID and CardSpace is a practical one which a Businessman
will immediately recognize as an issue of contractual trust. As long as any party
on the internet can issue OpenID credentials businesses which need to
fundamentally know their customers those businesses will not be able to accept
strictly open credentials. Many large internet service providers are already
limiting the set of Identity Providers that they will accept as legitimate ID—even
in the absence of physical attribute data such as physical location, age or
gender. This makes business sense for providers of valuable web services since
most businesses have few trusted partners that they are willing to delegate
customer tracking to. Customer information is too valuable and the risk of legal
action in the event of breech of account access is often likely.

Imagine if a city allowed college students to create their own IDs to be able to
present at any time for any identification purpose. Bars subject to strict laws
forbidding them to serve alcohol to anyone younger than the legal drinking age
would quickly reject the new IDs since self issued credentials are worthless for
the purpose of proving age. Bars would quickly seek to implement another method
for proving identity. In this contrived scenario, the open IDs would be good for
applications where the actual identity of a presenting individual wasn’t
ultimately important. Think of business mixers where everyone wears “Hello, my
name is…” tags where everyone writes in their name and company. You can lie
about your name or company, but what’s the point?

The online equivalent of these “Hello tag” events are simple social networks,
blogs and other semi-anonymous forums. OpenID will be a boon to these types of
applications where there isn’t much commerce and the actual identity of
individuals isn’t all that important.

For business applications on the internet that require an intimate interaction

with each user, open ID makes less sense. However there is a middle ground where
two companies can have a trusted relationship using concepts from Open ID. Many
SaaS vendors already segregate accounts by corporation which makes a lot of sense.
An example of this type of segregation is SalesForce.com. Each company that uses
SalesForce has a number of users that have access to that particular company’s
data. As employees come and go an administrative rep from the company adds and
deletes credentials for each employee to access SalesForce.

When several other SaaS vendors are engaged by the above mentioned company the
same administrator needs to add credentialed access to each employee for the new
service. By spinning up an OpenID style ID provider service for his company and
establishing a trusted relationship between each SaaS vendor and his new Id
Provider, the corporate administrator can add one credential per employee and
effectively have a Web Single Sign On in place through the use of techniques in
OpenID.

X.509 Certificates

The internet relies on X.509 certificates to enable HTTPS sessions between a user
and a website. HTTPS sessions are important because they encrypt a browsing
session thereby thwarting packet sniffers. Certificates contain physical
information about the presenter of the certificate such as company and address as
well as the presenter’s public key. The information bundle is then presumably
checked for accuracy and digitally signed by a Certificate Authority such as
VeriSign or Thawte. Ideally, a user would also obtain an individual certificate
and present it to the website during the HTTPS negotiation which would prove each
side’s identity to the other side. This type of negotiation is known as bi-
directional certificate exchange and is widely acknowledged to be one of the
strongest forms of authentication available on the internet. The question
remains, however, of why this type of authentication is not prevalent today?

Certificates are theoretically strong, but they have several practical drawbacks.
First of all, certificates are very expensive with individual certificates running
in the hundreds of dollars annually. Secondly, certificates are very complicated.
If you have ever applied for a certificate you are undoubtedly familiar with the
terms “Certificate Signing Request”, “pem file”, “PKCS” and other cryptic terms
that usually mean that the next few hours of your day are ruined. Applying for a
certificate is no fun for seasoned pros and is impossible for the average human.
Additionally, once you obtain your certificate and its corresponding private key
file there is the matter of where to put it so that your web server or browser can
absorb and utilize the information. Installing a certificate is not for the
faint of heart and universally involves reading dry instruction pages and
manipulating dusty corners of your software configuration that rarely see the
light of day.

Moreover, with bi-directional certificate exchange there is the matter of how you
might revoke a certificate once it is issued. Currently there is a questionable
mechanism called Certificate Revocation Lists where a browser or other piece of
software is required to traverse a chain of certificates that vouch for each child
certificate until the root certificate is reached. In each traversal there is a
potential that a particular certificate has been revoked and should not be used.
Modern web browsers frequently ignore this feature and even if the browsers did
honor the CRLs it takes some time for the CRLs to get distributed across the
internet.
Bottom Line: certificates have great math, lousy operability and cost a fortune.
State of the industry

When the state of the industry is taken in totality there are several promising
pieces to the authentication puzzle that show the way to a better authentication
methodology. The math behind bi-directional certificate exchange is very solid.
The user experience of card space is instructive—people understand images as
symbols of identity. OpenID and its SAML protocol is a good framework for
exchanging authentication information.
This brings us to the RealMe authentication system.

RealMe Overview

The RealMe authentication system from GlobalCrypto leverages the proven math that
exists in bi-directional certificate exchange and removes the operational problems
that prevent certificates from becoming the preferred method of authentication on
the internet. Moreover, RealMe can leverage the technology behind OpenID when it
is deployed in a Web Single Sign On configuration to provide Identity claims from
a corporation to a trusted web service.

RealMe works by inserting cryptographic information into a digital image,

splitting that image between a user and an authenticating party and later
exchanging these image halves to accomplish a strong, bi-directional
authentication.
A RealMe credential –image is a shared token which is digitally signed by the user
and the authentication engine. The digital signatures are then steganographically
inserted into the image and the image is split in half. The left side goes to the
user and the right side goes to the authentication engine. To make the end
user’s image whole, a prosthetic right side of the image is tacked on so that the
user is given an image that is visually identical to the original image. An RSA
key pair is also generated for the user which is encoded into the prosthetic right
side of the user’s credential image for later use.

Note that all of the above mentioned items inserted into the credential image are
password encrypted using AES. The password is never transmitted over the internet
and is only used to unlock a credential image at login time.
When a user presents her image and password for authentication to a website via a
web widget or browser toolbar the image is decrypted and sent to the
authenticating web site via an SSL protected xmlHttpRequest. The website
provides the right hand side of the credential image and each party to the
authentication can verify its digital signature in the reassembled security token.
Mathematically, the user is protected and as a final verification, the user
visually sees the two halves of her image coming together on the UI.

Note that RealMe can be employed at a corporation as a web single sign on for
numerous SaaS applications because it is implemented as a Web Service. RealMe is
available with a SAML front end that allows SaaS vendors to delegate
authentication to a corporate ID provider service. This allows an employee to
use one strong credential to login to all of the corporate SaaS providers.
Further, the company retains control of the credentialing process in one location.

Bottom Line: RealMe is cryptographically strong, very flexible and is user

friendly.