Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong...
-
Upload
melissa-perry -
Category
Documents
-
view
219 -
download
0
Transcript of Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong...
![Page 1: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/1.jpg)
Copyright1988-2006
1
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../EC/ IdMngtMyths06 {.html,.ppt}
Identity Management – 7-8 March 2006Sydney Convention & Exhibition Centre
Mythologies of Identity Control
![Page 2: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/2.jpg)
Copyright1988-2006
2
1. Authentication
2. (Id)entities and (Id)entifiers
3. (Id)entities Managementand for People Not of
People
4. Nym Management
5. Biometrics Technologies
Mythologies of Identity Control
![Page 3: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/3.jpg)
Copyright1988-2006
3
Authentication
The Process of Testing an Assertionin order to establish a level of
confidence in the Assertion’s reliability
![Page 4: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/4.jpg)
Copyright1988-2006
4
Kinds of AssertionsRelevant to eBusiness
• About Data• About Value• About Location• About
Documents
• About Attributes• About
Principal-Agent Relationships
• About Entities• About Identities
![Page 5: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/5.jpg)
Copyright1988-2006
5
Which Assertions Matter?
• Utilise Risk Assessment techniques to determine:
• Which Assertions• What level/strength of Authentication
![Page 6: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/6.jpg)
Copyright1988-2006
6
Australian Government e-Authentication Framework (AGAF)
http://www.agimo.gov.au/infrastructure/authentication/agaf
• Decide what statements need to be authenticated
• Use risk assessment techniques in order todecide on the level of assurance needed
• From among the alternative e-authentication mechanisms, select an appropriate approach
• Assess the impact on public policy concernssuch as privacy and social equity
• Implement• Evaluate
![Page 7: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/7.jpg)
Copyright1988-2006
7
NamesCodes
Roles
Identifier + Data-Items
Identity andAttributes
RealWorld
AbstractWorld
2. (Id)entities and (Id)entifiers
![Page 8: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/8.jpg)
Copyright1988-2006
8
Entity andAttributes
RealWorld
AbstractWorld
Identifier + Data-Items
Identity andAttributes
![Page 9: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/9.jpg)
Copyright1988-2006
9
Entity andAttributes
RealWorld
AbstractWorld
Entifier + Data-Items
Identifier + Data-Items
Identity andAttributes
![Page 10: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/10.jpg)
Copyright1988-2006
10
Human (Id)entifiers• appearance how the person looks• social behaviour how the person interacts with others_________________________________________________________________________________________________________________
• names what the person is calledby other people
• codes what the person is calledby an organisation
_________________________________________________________________________________________________________________
• bio-dynamics what the person does• natural physiography what the person is• imposed physical what the person is now
characteristics
![Page 11: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/11.jpg)
Copyright1988-2006
11
Imposed Biometrics“imposed physical identifiers ... branding, tattooing, implanted micro-chips”
![Page 12: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/12.jpg)
Copyright1988-2006
12
Human Identity Authentication• What the Person Knows
e.g. mother’s maiden name, Password, PIN• What the Person Has
(‘Credentials’)e.g. a Token, such as an ‘ID-Card’, a Tickete.g. a Digital Token such as “a Digital Signature consistent with thePublic Key attested to by a Digital Certificate”
Human Entity Authentication• What the Person Is (Static Biometrics)
• What the Person Does (Dynamic Biometrics)
![Page 13: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/13.jpg)
Copyright1988-2006
13
2. (Id)entities Management
A Working Definition
A set of processes and supporting infrastructurethat enable
the authentication of (id)entity assertions
The term is often used in a more restrictive sense,
to apply to the specific context ofonline access over open public networks
![Page 14: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/14.jpg)
Copyright1988-2006
14
Phases inOnlineUser
Access Security
Pre-Authenticationof Evidence of
Identity or Attribute
Permissions Storeor Access
Control List
Authenticationusing the Issued
Authenticator
AuthorisationAccessControl
Registerof
Authenticators
![Page 15: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/15.jpg)
Copyright1988-2006
15
User Access Securityfor a Single Application
ApplicationAccessControl
![Page 16: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/16.jpg)
Copyright1988-2006
16
Single-Organisation ‘Single-SignOn’
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
![Page 17: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/17.jpg)
Copyright1988-2006
17
Multi-Organisation ‘Single-SignOn’ ‘Identity Management’
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
![Page 18: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/18.jpg)
Copyright1988-2006
18
Federated Identity Managementa la Liberty Alliance, WS-*
Identity Management
ServicesThe Internet
The Organisation’s
Web-Sites
![Page 19: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/19.jpg)
Copyright1988-2006
19
Countermeasures by Individuals• Web-Forms can be filled with:
• pre-recorded data • convenient data• pseudo-random data • ‘false’ data
• Personal data can be automatically varied for each remote service, in order to detect data leakage, e.g. spelling-variants, numerical anagrams
• Personal data can be automatically varied for the same remote service on successive occasions (to pollute the data-store and confuse the userprofile)
• Users can exchange cookies, resulting in compound profiles rather than profiles that actually reflect an individual user's behaviour
![Page 20: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/20.jpg)
Copyright1988-2006
20
Identity Managementby a User-Selected Intermediary
The Internet
Identity Management
Services
The Organisation’s
Web-Sites
![Page 21: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/21.jpg)
Copyright1988-2006
21
User-Device Identity Management
The Internet
The Organisation’s
Web-Sites
![Page 22: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/22.jpg)
Copyright1988-2006
22
User-Proxy Identity Management
The Internet
Identity Management
Service
Handheld
The Organisation’s
Web-Sites
![Page 23: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/23.jpg)
Copyright1988-2006
23
Identity ManagementThe Multi-Mediated Super-
Architecture
The Internet
Handheld
Federated,Multi-Organisation Single-SignOn I.M.
User-Selected Intermediary I.M.
Own-Device and Own-Proxy I.M.
The Organisation’s
Web-Sites
Identity Management
Service
The Organisation’s
Web-Sites
Silo’dSingle-Organisation Single-SignOn I.M.
![Page 24: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/24.jpg)
Copyright1988-2006
24
Entity andAttributes
RealWorld
AbstractWorld
Entifier + Data-Items
Identifier + Data-Items
Identity andAttributes
(Id)entities
![Page 25: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/25.jpg)
Copyright1988-2006
25
4. Nyms
Entity and Attributes
Real World
Abstract World
Record:
Entifier + Data-Items
Record:
Identifier + Data-Items
Identity and Attributes
Record:
Nym + Data-Items
Identity and Attributes
m
n
m
n
1
1 1
n n n
![Page 26: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/26.jpg)
Copyright1988-2006
26
NymOne or more attributes of an Identity(represented in transactions and records
as one or more data-items)sufficient to distinguish that Identity
from other instances of its classbut
not sufficient to enable association with a specific Entity
Pseudonym – association is not made, but possibleAnonym – association is not possible
![Page 27: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/27.jpg)
Copyright1988-2006
27
Nymality is Normality
aka ('also-known-as'), alias, avatar, character, nickname, nom de guerre,
nom de plume, manifestation, moniker, personality, profile, pseudonym,
pseudo-identifier, sobriquet, stage-name
Cyberpace has adopted thoseand spawned more:
account, avatar, handle, nick, persona
![Page 28: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/28.jpg)
Copyright1988-2006
28
Pseudo-PETsCounter-PITsSavage PETs
Gentle PETs
Seek a balance between nymity
and accountability through
Protected Pseudonymity
Privacy Enhancing Technologies (PETs)
![Page 29: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/29.jpg)
Copyright1988-2006
29
Financial Times, 19 Feb 2006Interview with Bill Gatesre MS Identity Metasystem Architecture and InfoCard
“ ... the thing that says the government says I'm over 18 ... You can prove who you are to a third party and then, in the actual usage, they don't know who you are.“A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy”.
![Page 30: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/30.jpg)
Copyright1988-2006
30
5. Biometrics Technologies
• Variously Dormant or Extinct
• Cranial Measures• Face Thermograms• Veins (hands, earlobes)• Retinal Scan• Handprint• Written Signature• Keystroke Dynamics• Skin Optical Reflectance• ...
• Currently in Vogue• Iris• Thumbprint• Hand Geometry• Voice• Face
• Special Case• DNA
• Promised• Body Odour• Multi-Attribute
![Page 31: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/31.jpg)
Copyright1988-2006
31
Fraudulent Misrepresentationof the Efficacy of Face
Recognition
• The Tampa SuperBowl was an utter failure• Ybor City FL was an utter failure• Not one person was correctly identified by
face recognition technology in public places• Independent testing results are not available• Evidence of effectiveness is all-but non-existent• Ample anecdotal evidence exists of the opposite
![Page 32: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/32.jpg)
Copyright1988-2006
32
Reference-Measure Quality
• The Person's Feature (‘Enrolment’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject and
Device• The Automated Processes
![Page 33: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/33.jpg)
Copyright1988-2006
33
Association Quality
• Depends on a Pre-Authentication Process• Subject to the Entry-Point Paradox• Associates data with the ‘Person
Presenting’and hence Entrenches Criminal IDs
• Risks capture and use for Masquerade• Facilitates Identity Theft• Risk of an Artefact Substituted for,
or Interpolated over, the Feature
![Page 34: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/34.jpg)
Copyright1988-2006
34
Test-Measure Quality
• The Person's Feature (‘Acquisition’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject and
Device• The Automated Processes
![Page 35: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/35.jpg)
Copyright1988-2006
35
Comparison Quality
• Feature Uniqueness• Feature Change:
• Permanent• Temporary
• Ethnic/Cultural Bias“Our understanding of the demographic factors affecting biometric system performance is ... poor” (Mansfield & Wayman, 2002)
• Material Differences in:
• the Processes• the Devices• the Environment• the Interactions
• An Artefact:• Substituted• Interpolated
![Page 36: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/36.jpg)
Copyright1988-2006
36
Result-Computation Quality• Print Filtering and Compression:
• Arbitrary cf. Purpose-Built• The Result-Generation Process• The Threshhold Setting:
• Arbitrary? Rational? Empirical? Pragmatic?
• Exception-Handling Procedures:• Non-Enrolment• Non-Acquisition• ‘Hits’
![Page 37: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/37.jpg)
Copyright1988-2006
37
The Mythology of Identity AuthenticationThat’s Been Current Since 12 September
2001• Mohammad Atta’s rights:
• to be in the U.S.A.• to be in the airport• to be on the plane• to be within 4 feet of the cockpit
door• to use the aircraft’s controls
• Authentication of which assertion, in order to prevent the Twin Towers assault?
• Identity (1 among > 6 billion)?• Attribute (not 1 among half a dozen)?
![Page 38: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/38.jpg)
Copyright1988-2006
38
Biometrics and Single-Mission Terrorists
• “Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004)
• “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)
![Page 39: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/39.jpg)
Copyright1988-2006
39
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
![Page 40: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/40.jpg)
Copyright1988-2006
40
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
Law and Order ExtremismNational Security Fundamentalism
![Page 41: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/41.jpg)
Copyright1988-2006
41
Mythologies of Identity Control• That the assertions that
need to be authenticated are assertions of identity(cf. fact, value, attribute, agency and location)
• That individuals only have one identity
• That identity and entity are the same thing
• That biometric identification:
• works• is inevitable• doesn’t threaten
freedoms• will help much• will help at all in
counter-terrorism• Every organisation is part
of the national security apparatus
![Page 42: Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU](https://reader033.fdocuments.net/reader033/viewer/2022061306/55146402550346b0158b4a68/html5/thumbnails/42.jpg)
Copyright1988-2006
42
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../EC/ IdMngtMyths06 {.html,.ppt}
Identity Management – 7-8 March 2006Sydney Convention & Exhibition Centre
Mythologies of Identity Control