The Future: Evolution of the Technology

1

Protecting Online Identity

• The Future Evolution of the Technology
• Ravi Sandhu
• Chief Scientist
• TriCipher, Inc.
• Los Gatos, California
• Executive Director and Chaired Professor
• Institute for Cyber Security
• University of Texas at San Antonio

2
Summary

• We are in the midst of big change
• Nobody knows where we are headed
• Conventional wisdom on where we are headed is
  likely wrong

3
Security Schools of Thought

• OLD THINK
• We had it figured out. If the industry had only
  listened to us our computers and networks today
  would be secure.
• REALITY
• Todays and tomorrows cyber systems and their
  security needs are fundamentally different from
  the timesharing era of the early 1970s.

4
Change Drivers
5
Diffie on Information Security 2007

• Now we face a new challenge to security, a world
  of shared computing and web services. As with
  radio, this technology is too valuable to go
  unused, By contrast with radio, which could be
  protected with cryptography, there may be no
  technology that can protect shared computation to
  the degree we would call secure today. In a
  decade or a generation, there may be no secure
  computing.

Need to be realistic in our security expectations
6
Butler Lampson Paraphrased (I think)

• Computer scientists could never have designed the
  web because they would have tried to make it
  work.

But the Web does work. What does it mean for
the Web to work?
Security geeks could never have designed the ATM
network because they would have tried to make it
secure.
But the ATM network is secure. What does it
mean for the ATM network to be secure?
7
The SSO Challenge

• Timesharing, 1970s
• SSO problem need to login to every application
• SSO solution let OS do authentication, after
  that it is authorization
• Score successful but 100 centralized
• Distributed systems, 1980s
• SSO problem need to login to every host
• SSO solution maintain trust lists at each host
• Score disastrous beyond a tiny scale
• Kerberos, 1980s
• SSO problem need to login to every host
• SSO solution centralized server
  w/crypto-authentication to hosts
• Score successful within a domain but symmetric
  key crypto does not scale beyond enterprise
  boundary

8
The SSO Challenge

• SSL, 1990s
• SSO problem need to login to every webserver
• SSO solution PKI
• Score half successful, webserver certs deployed
  but no browser certs
• WebSSO, 1990s, early 2000s
• SSO problem need to login to every webserver
• SSO solution carry authentication information
  in browser cookies
• Score successful within a domain but passwords
  do not scale beyond enterprise boundary
• The future as per conventional wisdom, late
  2000s, early 2010s
• SSO problem need to login to every webserver,
  many being external SaaS
• SSO solution PKI plus federation
• Prediction PKI will remain in some form,
  federation will remain in some form BUT todays
  conventional wisdom is likely dead wrong

9
ezSSO

• Secure, Convenient, Connected
• Secure Yes
• By virtue of the ladder even if the bulk of
  users are at the lowest end
• Back-end passwords are not known to the user
• Convenient Yes
• Needs to be proven in the field
• Connected Yes
• Rapid onboarding of relying parties