The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights...
-
Upload
barry-atkinson -
Category
Documents
-
view
217 -
download
0
Transcript of The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights...
![Page 1: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/1.jpg)
The Evolution of Identity Management
February 18, 2005
© Copyright 2004, Credentica – all rights reserved
Dr. Stefan Brands
![Page 2: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/2.jpg)
2© Copyright 2004, Credentica
Part I
The evolution of conventional I&AM
![Page 3: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/3.jpg)
3© Copyright 2004, Credentica
Set-up: Identity enrolment & provisioning
I:
I: a1, a2 , …
AS
IdSII
RP
I&AM set-up:• Enrollment in
Identity Server (IdS)• Provisioning in
Attribute Server (AS)
• Identity Token issuance
Next slides: • Access to Resource
Provider (RP)
![Page 4: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/4.jpg)
4© Copyright 2004, Credentica
RP
Phase 0: Intra-enterprise I&AM (today)
I:
I: a1, a2 , …
AS
IdSyes/no
I
Security
Privacy
Other
![Page 5: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/5.jpg)
5© Copyright 2004, Credentica
RP
Phase 1: Access by “extended” user (today)
I:
I: a1, a2 , …
AS
IdSyes/no
I
Security
Privacy
Other
• No access privacy
![Page 6: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/6.jpg)
6© Copyright 2004, Credentica
Phase 2: Federated access (in progress …)
AS
RPIdS
RPRP
RP
RP
??
=
Security
Privacy
• RP can trace User
• IdS can trace User
• IdS can monitor RP• IdS cross-profiling
• Availability
• Insider fraud
• IdS & AS exposed
• Denial of service
Other
• RP–IdS/AS relation
![Page 7: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/7.jpg)
7© Copyright 2004, Credentica
Phase 3: Federated I&AM (a la SAML)
AS
RPIdS
RP
RP
RP
RP
RP
RP
RP
RP
RP
RP
RPRP
RP
RPRP
RP
Security
Privacy
• RP can trace User
• IdS can trace User• IdS can monitor RP• IdS cross-profiling• Privacy legislation
• Availability
• Insider fraud
• IdS & AS exposed• Denial of serviceOther
• RP–IdS/AS relation
![Page 8: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/8.jpg)
8© Copyright 2004, Credentica
Phase 3: Federated I&AM (a la SAML)
AS
RPIdS
RP
RP
RP
RP
RP
RP
RP
RP
RP
RP
RPRP
RP
RPRP
RP
Security
Privacy
• RP can trace User
• IdS can trace User• IdS can monitor RP• IdS cross-profiling• Privacy legislation
• Availability
• Insider fraud
• IdS & AS exposed• Denial of serviceOther
• RP–IdS/AS relation• Scalability
![Page 9: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/9.jpg)
9© Copyright 2004, Credentica
Phase 4: Data sharing a la Liberty Alliance
AS
RPIdS
RP
RP
RP
RP
RP
RP
RP
RP
RP
RP
RPRP
RP
RPRP
RP
• RP can trace User
• IdS can trace User• IdS can monitor RP• IdS cross-profiling• Privacy legislation
• Availability
• Insider fraud
• IdS & AS exposed• Denial of serviceOther
• RP–IdS/AS relation• Scalability
Privacy
Security
![Page 10: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/10.jpg)
10© Copyright 2004, Credentica
Phase 5: Cross-federated I&AM (not yet …)
• RP can trace User
• IdS can trace User• IdS can monitor RP• IdS cross-profiling• Privacy legislation
• Availability
• Insider fraud
• IdS & AS exposed• Denial of serviceOther
• RP–IdS/AS relation• Scalability
Privacy
Security
![Page 11: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/11.jpg)
11© Copyright 2004, Credentica
Phase 5: Cross-federated I&AM (not yet …)
IdP
Security
Privacy
• RP can trace User
• IdS can trace User• IdS can monitor RP• IdS cross-profiling• Privacy legislation
• Availability
• Insider fraud
• IdS & AS exposed• Denial of serviceOther
• RP–IdS/AS relation• Scalability
![Page 12: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/12.jpg)
12© Copyright 2004, Credentica
Part II
Solution with Digital Credentials
![Page 13: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/13.jpg)
13© Copyright 2004, Credentica
Digital Credentials
• The digital equivalent of real-world objects issued by “trusted” issuers:
• Driver licenses, passports, stamps, coupons, entitlements, cash, ballots, credit report data, health record entries, ….
• New “credentials” that have no real-world equivalent
• Unique security, privacy, and efficiency features• Independent “sliders” – pick according to application needs• Traditional digital certificate techniques do not work
– Inescapable systemic identification, security problems, inefficient– Note: Encryption only protects against content wiretapping
• Security is tied to the “attribute” data itself, so that the credential information can flow anywhere
• Accomplished through modern cryptographic techniques
![Page 14: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/14.jpg)
14© Copyright 2004, Credentica
Life-cycle of a Digital Credential
Alice
American
23 y.o.
Married
Teacher
RA CA
Verifier3rd party
User
Alice
American
23 y.o.
Married
Teacher
Alice
American
23 y.o.
Married
TeacherRegistration Authority can prepare a DC
with some verified user attributes.
Can hide the attributes before passing the DC
to the CA.
CA can add some more
attributes and then certifies the
DC.
User knows all the attributes.
User can disclose a subset of the attributes to a
verifier.
Verifier can prove the transaction to a 3rd party. It can also hide some
disclosed attributes.
SD
![Page 15: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/15.jpg)
15© Copyright 2004, Credentica
AliceSmith
Token-specific
information
Example: privacy-friendly CRL
Verifier
“Bob Barker”
“Dan Daniels”
“Hilary Heintz”
“Ed Edwards”
“Max Murray”
“Frank Foster”
“Charlie Colm”
“George Gosp”
BLACKLISTAlic
e
Token-specific
information
![Page 16: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/16.jpg)
16© Copyright 2004, Credentica
Example: privacy-friendly blacklist
Verifier
“Bob Barker”
“Dan Daniels”
“Hilary Heintz”
“Ed Edwards”
“Frank Foster”
“Charlie Colm”
“George Gosp”
BLACKLISTAlic
e
Token-specific
information
“Alice Smith”Alice Smith
![Page 17: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/17.jpg)
17© Copyright 2004, Credentica
Non-intrusive account linking
I:
I: a1, a2 , …
AS
IdSJohn D = Y j1, j2 , …
Doe, J = X d1, d2, …
RP
RPI
I
I
I
IXY
![Page 18: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/18.jpg)
18© Copyright 2004, Credentica
Non-intrusive data sharing across accounts
I:
I: a1, a2 , …
AS
IdSJohn D = Y j1, j2, …
Doe, J = d1, d2, …
RP
RP
XY
j1, j2 , …j1 j2
j2
j1 j2
X
![Page 19: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/19.jpg)
19© Copyright 2004, Credentica
Federated access control
I:
I: a1, a2 , …
AS
IdS
Doe, J = X d1, d2, …
RPJohn D = Y j1, j2, …
RP
RPRP
RPRP
j1 j2
z1 z2
v1 v2
X
yes/no
j1 j2 z1
z2
v1 v2
![Page 20: The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.](https://reader034.fdocuments.net/reader034/viewer/2022051401/56649eaa5503460f94baec0b/html5/thumbnails/20.jpg)
20© Copyright 2004, Credentica
Federated security services
I:
I: a1, a2 , …
AS
IdS
Doe, J = X d1, d2, …
RPJohn D = Y j1, j2, …
RP
RPRP
RPRP
IIIIII
IIIIII CRLCRLCRLCRLCRLCRL
Y
Y
X
ABUSE
CRL X = Y