Burton Group Identity Blog

Blogger: Mark Diodati

Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contactless payment systems (including tollway and public transportation systems).  By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.  Karsten Nohl and his team completed the hack, and the team was able to clone a MIFARE Classic card in less than two minutes (the “skimming” or reading of the card takes less than a few seconds).  Perhaps not co-incidentally, NXP (the owners of the MIFARE intellectual property) announced on March 10 that they have a new-and-improved MIFARE card that leverages AES 128-bit encryption.  The first samples will be available in Q4 of 2008.  The refreshment of hundreds of millions of cards will be completed at a much later date.

You may be aware of the MIFARE vs. HID Prox card religious war in the PACS space.  From my experience talking with customers, there are more HID Prox cards used in PACS in the United States as compared to the MIFARE card.  The MIFARE proponents consistently tout the security value of MIFARE technology over HID Prox technology, and have pointed to the fact that HID Prox cards could be readily cloned.  You can see a video of the HID Prox card clone, from the 2007 RSA Conference here.  The conventional wisdom was that the MIFARE card was unclonable.  The conventional wisdom was wrong.

The impact of the MIFARE hack for those reliant payment systems (and its consumers) is increased fraud.  The cloning of the card does not require possession, only proximity.  I am unaware of any preventative measures that would preclude a fraudster from walking around a parking garage and cloning those tollway cards that are mounted in everyone’s windshield.  Some people might consider this an act of civil disobedience, particularly if they drive on the Illinois Tollway with any frequency (as Triumph the Insult Comic Dog would say “I keed!”).  Also, skimming and cloning the user’s public transportation card while they ride the train is a likely outcome.  If you are aware of any preventative measures, please let me know.

What is the impact to PACS security?  The reality is that many PACS deployments did not leverage the MIFARE encryption features.  The management of symmetric keys across the relatively complex PACS environment (specifically, cards, readers, controllers, and hosts) remains a daunting process.  For these deployments without encryption, it’s business as usual.  Those organizations that deployed the MIFARE technology with encryption should realize that they are not as secure as they thought.  Either way, as we have said before, no authentication method is bulletproof.  Organizations should be using other controls – like auditing and security event correlation – to enhance the security of their PACS. 

Finally, when will people learn their lesson?  Cryptographic algorithms should be public so that they can be scrutinized and tested.  Secret algorithms aren’t more valuable because they are secret.  Bruce Schneier has been saying this for years.

If you are interested more details on PACS architecture and components, I recommend my recent Burton Group research document “Let’s Get Logical: The Convergence of Physical Access Control and Identity Systems” (subscription required).

Blogger: Phil Schacter

Today’s announcement of IBM’s acquisition of Encentuate, primarily positioned as a supplier of enterprise SSO technology, is a significant milestone in the maturing of the market for E-SSO. Two years ago E-SSO was viewed as a standalone product that was somewhat complementary to the deployment of stronger authentication and a convenient way to support legacy applications with internal logic that prompted for login credentials, typically a user id and a simple password.

Most identity and access management vendors were content to license or resell technology obtained from smaller specialist firms. IBM, Oracle and Sun partnered with Passlogix, while Novell works with ActivIdentity and Quest with Evidian. CA has its own E-SSO offering stemming from an earlier acquisition of Platinum/Memco.

However, the identity and access management vendors discovered that E-SSO was both a market accelerator and offered some important features of interest to customers with regulatory compliance requirements. E-SSO has a shorter sales cycle (typically six months or less) and is able to deploy more rapidly (one to three months depending on the complexity of the environment). Cost for E-SSO varies but many deals are less than $100K, which is easier on the IT budget than most user provisioning software and service projects. Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites. E-SSO technology also can provide an audit trail of user sessions and any interactions with applications accessed through the E-SSO system.

So who wins in the IBM deal to acquire Encentuate? First, it’s a big win for Encentuate’s 80 plus customers that can look forward to continued support and a more aggressive product roadmap funded by a premier vendor. Although no financial numbers were shared the deal provides an exit strategy for investors that poured about $24M into Encentuate over the years. The 160 plus customers of IBM’s TAM ESSO v6 will have support from IBM for three years from v6’s general availability date of February 2007. They also will have to choose between continuing to use ESSO v6, and transitioning to become a direct Passlogix customer, or migrating to IBM’s new v7 offering, based on the technology acquired from Encentuate. TAM ESSO v7 is expected to be available in Q3 2008 and will include planned enhancements to Encentuate’s product plus address IBM’s integration requirements.

IBM also plans to build on the engineering talent obtained as a part of this acquisition to build out a Security Software Lab in Singapore for more than just the E-SSO and former Encentuate product lines. This area offers high quality engineering talent and a more efficient operational infrastructure and cost than labs based in some other regions. Another key reason for IBM’s shift to a new technology provider is that Encentuate builds on a J2EE foundation, as do most other Tivoli product offerings.

Another interesting question is what is the impact of the IBM deal on their former partner, Passlogix? Clearly IBM will try hard to convince existing customers that they should migrate to TAM ESSO v7, but any migration is hard and it’s not clear who will fund the professional service cost of doing so. Passlogix expects to derive significant ongoing maintenance revenue from a portion of IBM’s 160 customers, and that this revenue stream will more than offset any lost OEM royalties. There is also the question of what happens to the healthy pipeline for ESSO v6 and whether Passlogix can convert any of these prospects into direct customers. Overall Passlogix is prospering in a strong market for E-SSO and related offerings, and indicates that no one source contributes more than a sixth of overall business revenue.

One final observation about the impact of this deal is that it’s likely to start one final wave of consolidation, with Oracle and Sun considering the business risk of the other acquiring Passlogix first. Another acquisition that should probably happen is for Novell to buy ActivIdentity. Novell already provides the channel for 80% of ActivIdentity’s business, so why not bring this important function inhouse?   

Bloggers: Gerry Gebel and Bob Blakley

Today, Ping Identity announced it is acquiring Sxip Access, the portion of Sxip Identity that provided identity management for software-as-a-service applications. Sxip Identity will still exist and focus its energies on Sxipper and other Identity 2.0/Web 2.0 technologies.

This appears to be a good strategy for both parties. Sxip is free to focus solely on the realm of user centric identity technology and approaches. Ping is able to immediately add support for SaaS applications to its federation portfolio, bolstering is ability to address the growing needs of organizations with distributed applications and a dispersed workforce.

Of course, adoption of SaaS applications is on a strong growth trend across the industry so there are many vendors seeking to enter this market and provide potential solutions. For example, TriCipher just announced their myOneLogin hosted authentication service that supports SAML and a number of other authentication mechanisms, Conformity is developing security, audit, and identity solutions for SaaS applications, and Symplified is working on identity on demand offerings for SaaS (Symplified and Conformity offerings are at the beta testing stage). It turns out, of course, that federation protocols don’t address some single sign-on scenarios if your workforce doesn’t adhere to the preferred confines of the SAML protocol. While technically feasible, it is can be difficult, in reality, to accommodate workforce members authenticating from on premises, from partner locations, or while traveling.

It appears also, that SaaS vendors have gotten more serious about authentication security as a result of recent published attacks against SalesForce.com. In summary, the acquisition, recent product offerings, and multiple startups suggest a segmentation for SaaS applications. First, there is a server side SaaS federation market and second, a client side consumer authentication as a service market. Both segments are good developments and necessary for the industry. Indeed, both segments are likely to grow over time.

Blogger: Kevin Kampman

In the Friday, February 29, 2008 USA Today article “Prognosis is bright for Google’s health records plan” identifying Google’s intent to build an online medical records database, some controversy about the privacy and potential misuse of patient records was cited. In particular, the potential for misuse of these records for background or hiring purposes was identified. The statement “But those are human actions. They have nothing to do with the technology.” was attributed to Dr. Molly Coye, Google advisor and CEO of non-profit HealthTech.

This is similar to, if not the same perspective as “Guns don’t kill, people do”. Thankfully, there is plenty of gun safety education, regulation and control as to who shouldn’t or should have weapons. Even so, madmen and crazies kill. People still suffer and die, and their families and society pay. Manufacturers and retailers profit.

With health records available in a readily accessible format and medium, the opportunity for compromise is not just a people problem. If a prospective employer or business entity wants to vet your records, you may be denied employment or access to some service just by refusing to grant them access. The collection and analysis of health information is big business, and access to the statistics may be just as detrimental as access to your records alone. This situation must be balanced by industry accountability and regulation, as well as explicit liabilities borne by those who misappropriate or use the information for illegitimate purposes. As recent financial compromises have shown, there is also a serious risk of insider misuse of private information.

You might think this comparison is off the mark, but the privacy and control of health care records is a critical issue, and turning over control of personal information to a profit-seeking entity without significant, if not bulletproof, individual protections must not be taken lightly. Wasn’t HIPAA supposed to accomplish this? I think it’s time for a real sanity check of what we are considering here. Before the bullet leaves the barrel…

Blogger: Mark Diodati

Today, Microsoft announced its acquisition of Credentica, a consumer authentication technology company.  Like Arcot and TriCipher, its executive team holds patents on some interesting cryptographic techniques, which are embedded in the company’s U-Prove technology.  The technology relies heavily upon PKI.  If you are interested in the protocols, you can retrieve the “U-Prove SDK Overview” and a corresponding Power Point presentation here.

I have yet to speak to Microsoft and Credentica (this is likely to happen in the next few days), and my understanding will likely change once that happens.  Within the U-Prove environment, there are three parties: the issuer (AKA credential or identity provider), the user, and the verifier (AKA the service provider).  After a user successful authentication, the issuer provides the user with a credential – the ID Token.  The ID Token can be short- or long- lived.  The ID Token is signed by the issuer (similar to an X.509 certificate), and the user subsequently presents ID Token to the Verifier. 

The user authenticates to the verifier when presenting the ID Token by sending along a nonce (that is, a random number) that is encrypted with the user’s private key.  The verifier can validate that the ID Token originated from the user in possession of the private key (yes, Virginia, the U-Prove technology appears to require that the user possess a private key). 

One important distinction exists when compared to X.509 authentication.  Before presenting the ID Token, the user can control which attributes in the ID Token are revealed to the verifier, which provides some privacy controls. 

The technology also appears to provide man-in-the-middle mitigation, digital signature capabilities, and supports stronger authentication (e.g., a smart card) by the user to the issuer.

The U-Prove protocol also appears to work nicely with SAML, while providing the user control over information presented to the verifier (AKA service provider).  The issuer (AKA identity provider) provides the ID Token credential to the user.  The ID Token contains user attributes, which are signed by the issuer.  The user has control over which attributes are disclosed to the verifier because the user builds the SAML assertion from the desired attributes.  The user signs the assertion, and then presents it to the verifier.

Why did Microsoft acquire Credentica?  The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace managed cards (i.e., those cards issued by an identity provider) that is consistent with Kim’s Laws of Identity .  The authentication mechanism we’re talking about is between the identity provider (AKA issuer in Credentica-speak) and the user, not the user and the service provider (AKA verifier in Credentica-speak).  My colleague Bob Blakley is our resident CardSpace expert; I learned most of what I know about the technology from him.  If you are a Burton Group IdPS customer and are interested in CardSpace, his recent document “The Information Card Landscape” is a good read.
 
The aforementioned Credentica white paper (published in April of 2007) provides references these benefits.

“ID Tokens are the only practical technology by means of which the Windows CardSpace identity selector can fully comply with the “laws of identity” defined by its chief architect, Kim Cameron. Cameron has confirmed that standard digital certificates break the fourth law of identity In addition, the second and third laws of identity cannot be fully met using standard certificate technology.”

It appears that the Credentica technology is more protocol than product, which is beneficial to Microsoft.  Microsoft will have fewer pre-acquisition customers to support.  Also, Microsoft should have an easier time integrating the U-Prove technology into CardSpace.  Microsoft appears to have at least one integration challenge because the U-Prove SDK appears to be Java-based, and requires the Java runtime environment on the user’s client.

Bloggers: Bob Blakley, Lori Rowland, Gerry Gebel

Burton Group frequently discusses the fiercely competitive nature of the identity management (IdM) market. This continues to be a consolidating market characterized by numerous mergers, acquisitions and vendor exits.

Burton Group has specifically commented on HP’s struggle to succeed in this competitive market. Burton Group’s Identity and Privacy Strategies Report, “The Identity Management Market 2007: An Expanding Universe”, Our Catalyst 2007 Keynote “Identity Management Market Landscape 2007: Enabling Security and Control Objectives in the Enterprise”, and our “Vantage Point 2007: Trends in Identity Management” telebriefing, all noted that HP’s ability to compete, mindshare, and market momentum has been in sharp decline.

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product.  We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change. Last week Burton Group spoke to HP Software Vice President of Products Eric Vishria regarding this development. 

Vishria explained that the Identity Center product line was not performing in this highly competitive market at a level that’s acceptable to HP, but added that the product supports the operations of a number of HP’s critical customers.  HP has therefore made the decision to focus research and development efforts on existing customers only.

The company does have a respectable number of existing customers. HP is in the process of reaching out to these customers to assist them with their identity management needs going forward. HP also feels that Identity Center represents an excellent set of technologies. For these reasons, HP has decided not to declare end-of-life for the product.  This means that HP will continue to provide technical support to existing customers and will maintain a development staff to make product enhancements based on needs of existing customers.  Vishria did not specify how long this technical support and product enhancement will continue. However, he did acknowledge that HP had considered options including end-of-life for Identity Center, and had consciously decided against declaring end-of-life so as to extend support and development beyond the two years typically allotted for an end-of-life product.

HP’s decision is clearly a blow to the company’s current IdM customers and to anyone who was considering purchasing their products. HP’s commitment to current customers is commendable; this commitment obviously cannot be open-ended, so now is the time for current HP customers to start planning.

In view of HP’s decision, Burton Group has recommendations for existing HP customers, non-HP customers, and other vendors competing in this market.

First and foremost, current HP customers should not panic. HP has no intention of abandoning its existing Identity Management customers.  Your first step should be to contact HP for clarification of the situation; HP is in the process of reaching out to all of its Identity Center customers, and you are undoubtedly already on their radar.  Existing customers will, however, need to decide going forward whether they will stick with their investments or consider moving to another product. Even if the decision is to move to another product, HP’s strategy and commitment allows customers to exit in an orderly and timely fashion.

After not panicking, existing customers must think strategically. It’s fair to assume that HP will not be able to keep pace on product enhancements when compared to other vendors who are fully committed to the IdM market and who are deriving revenue from new product sales. Organizations with HP Identity Center deployments will need to evaluate all of their options going forward.

Customers of other IdM vendors and customers considering new IdM deployments should also be carefully scrutinizing this announcement. As the market becomes increasingly competitive it is imperative that customers evaluate the viability and long-term strategy of their existing and potential IdM vendors. Burton Group predicts that the market will see continued, or even increased, consolidation in coming months.

Another point worth mentioning is how HP’s announcement illustrates the fierce competition in the IdM market – even for a vendor the size of HP. There is extreme pressure from all sides in the IdM market; particularly for smaller vendors, but HP proves even the giants are not immune from difficulty. 

Finally, IdM vendors: now is a good time to evaluate your commitment to the market, being completely realistic about the level of investment required to compete successfully in the crowded Identity Management space.

Blogger: Gerry Gebel

If you use conferences as a guide, then identity management is hotter than ever. It seems a month doesn’t go by without at least one event that is identity related and March 2008 is no exception. In fact, I’m participating in two conferences this week in Europe – where the list of interesting identity-related events continues to grow. On Monday, I’ll be at the Net ID 2008 conference in Basel, Switzerland talking about SharePoint access and identity management. I’ll also be on a panel discussing interoperability – a favorite topic of mine, so this should be fun.

Later in the week, I’ll be presenting at the ic Consult conference at BMW World in Munich. My presentation is titled “IdM Markkt, Schwerpunkt SSO” (IdM Market, Focus on SSO) in the program, but rest assured I will be doing this in English and not torturing the audience with my meager German language skills!  The guys at ic Consult always put on a great program – I’ve had the great fortune to participate in their fall event that happens to coincide with Oktoberfest… In any language, it’s remarkable that, as an industry, we haven’t done more to ease the authentication burden for end users. Certainly, there are enough technologies to choose from: passwords, smart cards, PKI, federation, E-SSO, Kerberos, SPNEGO, GSS-API, and the list goes on. But the problem, if anything, is getting worse.

In addition to talking about SSO in Munich, we’ll be focusing quite a bit of attention to authentication at Catalyst this June. My colleague, Mark Diodati, is leading the charge on that topic and you’ll hear more from him about it between now and the conference.

Novell rounds out the March conference schedule with their BrainShare event in Salt Lake City. While not exclusively focused on identity, Novell includes a heavy dose of it on the agenda. And one of the better features is that this conference is local to the Burton Group headquarters. Hope to see you on the road, or on home territory this month.