Identity management [TSA]

Transcription

1 [TSA]

2 INDEX 1. Introduction.3 2. Terminologies.3 3. Overview of Identity Management Identity Management Models Identity management framework.8 6. Authentication Methods Identity Management services Use Cases IDM in India IDM in ITU Conclusion Glossary References.21 2

3 1. INTRODUCTION The rapid growth in the number of online services has lead to in an increasing number of different identities that each user needs to manage. As a result, many people feel overloaded with identities and suffer from password fatigue. This is a serious problem and makes people unable to control and protect their digital identities against identity theft. As organization grows and add services such as ecommerce and global remote access of services, controlling who is accessing what kind of information is also becoming a more difficult task.hence to manage and secure Identities including maintenance of access based services, identity management can provide the solution. 1.1 DEFINITION Set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: Assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, Organizations, network and service providers, network elements and objects, and virtual Objects), and enabling business and security applications. Assurance of identity information (e.g., identifiers, credentials, attributes) Thus Identity management has mainly two parts: i. Issuing users with credentials and unique identifiers during initial registration phase. ii. Authenticating users and controlling their access to services and resources based on their identifiers & credentials during service operation. 2. Basic Terminologies a. Entity: A separate and distinct existence of object within a context. For example subscribers, users, network elements, networks, software and elements, services, devices and interfaces etc. b.attributes: Information bound to an entity which specifies features and characteristic of an entity such as condition, quality or any information associated with the entity. c.identifier: One or more attributes used to identify an entity within a context. 3

4 d.identity: The representation of entity in form of information elements, which allow entities to be sufficiently distinguished within a particular context. e.credential: An identifiable object that can be used to authenticate the claimant is what it claim to be and to authorize the claimants access rights. d.identity Service Provider: An entity that verifies, maintains, manages and may create and assign identity information of other entities. It is also responsible for assigning the attributes to entity. Correspondence between entities, identities and identifiers The figure above illustrates that an entity, such as a person or an organization, may have multiple identities and each identity may consist of multiple characteristics that can be unique or non-unique identifiers. 3. OVERVIEW OF IDENTITY MANAGEMENT 4

5 Above figure shows the following: a. Entities: In a NGN environment where services are based on contexts and roles and accessed anywhere, anytime, and from any device, multiple forms of identity-related information may be associated with an entity. In addition, an entity may have one or more identities based on context. Example entities include: User and subscribers. User devices, network elements and objects. Organizations, groups, business enterprises and government enterprises Network and service providers. Virtual objects b. Identity information: The identity information associated with an entity can be grouped as follows: Identifiers (e.g., subscription account, network element addresses, service provider Identifier). Attributes (e.g., addresses, telephone numbers, URI, IP addresses, roles, claims, Privileges, authentication method, patterns and location). Credentials (e.g., digital certificates and tokens). c. IdM functions and capabilities: IdM functions and capabilities are used to increase confidence in identity information of an entity and support or enhance business and security applications including identity-based services. Example IdM functions and capabilities are: Identity lifecycle management. Identity information organization, correlation and binding. Authentication, authentication assurance and assertion. Discovery and exchange of identity information. Functions and capabilities to bridge different IdM systems to facilitate interoperability. d. Business and security applications: IdM functions and capabilities support and may help to enhance business and security applications using identity based services. 5

6 4. Identity Management models: Identity management a. Basic query/response information exchange process This is basic form of model based upon basic-query and response process based on some agreed upon protocol and information. This is common identity management model on which let service provider s act as both credential provider and identifier provider to their clients. They control the name space for a specific service domain, and allocate identifiers to users. A user gets separate unique identifiers from each service/identifier provider he transacts with. In addition, each user will have separate credentials, such as passwords associated with each of their identifiers. This model can also be called isolated user identity management. b. Three party identity management model Most of systems involve complex models, where the relying party who receives the claim is not the identity service provider. The function of identity service provider is separated from relying party and relying party after having certain level of authentication assurance, evaluates the response from the identity service provider. The most common example of this model is online Banking Transaction system which is later elaborated in this paper. 6

7 c. Federated User Identity Model: Identity federation can be defined as the set of agreements, standards and technologies that enable a group of service providers to recognize user identifiers and entitlements from other service providers within a federated domain. In a federated identity domain, agreements are established between SPs (Identity provider) so that identities from different SP specific identity domains are recognized across all domains. These agreements include policy and technology standards. A mapping is established between different identifiers owned by the same client in different domains that links the associated identities. This results in a single virtual identity domain, as illustrated in above figure. When a user is authenticated to a single service provider using one of their identifiers, they are considered to have been identified and authenticated with all the other service providers as well. This happens by passing assertions between service providers. Thus user once registered to one SP can access the service of other SP s within same federated domain. The most familiar example of federated identity is ATM machines. We take for granted that we can go to almost any ATM machine, both at home and abroad, and use an ATM card to obtain money. Most banks will honor ATM cards issued by other banks because of trust relationships that exist between the banks and standardized protocols for performing the ATM transactions. d. User-centric identity management model "User-centric" models (i.e., that require full requesting party control be enabled over use of their identities) are receiving significant attention and may also be mandated in national and regional jurisdictions. All queries/responses are directed through the requesting party. User-centric identity management approaches have received significant attention for managing private and critical identity attributes. User-centric 7

8 identity management allows users to control their own digital identities. Users are allowed to select their credentials when responding to authenticator or attribute requester; this gives users more rights and responsibility over their identity information. However, current user centric approaches mainly focus on interoperable architectures between existing identity management systems without considering privacy issues in depth. By allowing a user to control their own digital identities, the user can decide which identity attributes are needed to share with other trusted parties and under what circumstance. As the users have more rights and responsibilities over their identity information, it provides better protection of the user s private information. 5. IdM Framework The framework consists of the following IdM functions and capabilities: a. Identity lifecycle management: Identity lifecycle management involves the processes and procedures associated with the enrolment and issuance of identity data and information associated with an identity of an entity. b. Identity management (IdM) operation, administration, maintenance and provisioning (OAM&P) functions: This includes operation, administration, maintenance and provisioning (OAM&P) Management functions and capabilities specifically related to the support of IdM. OAM&P is a group of management functions that provide system or network fault indication, 8

9 performance monitoring, security management, diagnostic functions, configuration and user provisioning). c. Identity management (IdM) signaling and control functions: This includes signaling and control functions and capabilities used for the support of IdM services, capabilities and functions. This includes signaling and control for both real-time and near-real time communications. d. Identity management (IdM) federated identity functions: This includes functions and capabilities for identity federation and support of federated Services. e. Identity management (IdM) user and subscriber functions: This includes functions and processes related to control by end users and subscribers of their identity related information (e.g., PII, personal preferences and location). This includes functions to control, delegate and authorize the use and dissemination of Identity-related information. f. Identity management (IdM) performance, reliability, and scalability: This includes functions and procedures addressing performance, reliability and scalability of IdM systems and solutions. g. Identity management (IdM) security: This includes functions and procedures addressing the security protection of IdM systems, services and capabilities. 5.1 Identity Lifecycle Management a. Proofing and Enrolment This is the first step in creating identity for an entity (e.g., subscriber, device, organization, identity provider or object).this is the process where applicant applies to become subscriber of an Identity Provider. Proofing includes verifying attributes and claims associated with an identity. It involves processes and procedures to verify and validate information when enrolling an entity into an identity system 9

10 b.issuance and Revocation Successful completion of the enrolment process results in the granting of a means (e.g., a credential) by which the entity can be authenticated in the future. For example, the issuance of a credential(s) by an IdP binds it to the identity or related attribute (e.g., privilege or claim) of the identity associated with an entity. Identity revocation is the process of rescinding an identity and the associated credentials. The party or system (e.g., IdP provider) that issues an identity or credential is responsible for the maintenance and protection of the information associated with the identity. Revocation is required to prevent the continued use of an identity or credential that is no longer valid or has a security breach. 5.2 Identity management OAM&P functions a. Data model and schema Each NGN provider, federation or enterprise may have its own formats, schemas, definitions or semantics to represent and share identity-related data and information. Data model should be such that to facilitate interoperability between heterogeneous IdM systems (e.g., identity data sources) within an Identity provider domain (i.e., different supplier products), between different Identity providers (inter-network), between different federations (e.g., Identity provider and web-services providers). b. Identifier Management An identifier is any designation that is used to represent the identity of an entity, such as a user ID, a network ID, an address, a pseudonym, a group name, etc. The overall effectiveness of IdM depends on the assurance of the individual identifiers that may be correlated and bound to assure the identity of an entity. c. Attribute Management Identity attributes are descriptors of an entity, such as entity type, preferred IP address, domain, address information, telephone number. Attributes may also contain claims, rights, privileges, delegate lists, and special restrictions The effectiveness of IdM would depend on the assurance of attributes that may be correlated and bound to assure the identity of an entity. This includes storing and provisioning of attributes. Therefore, well-defined requirements and procedures for the management of attributes are necessary to be put in place. 10

11 d. Credential Management Credentials are used to authenticate the claimed identity. Credential includes Token, UserID, passwords, digital certificates, Security Matrix, biometric. Entity credential management encompasses the operational activities to create, issue, and manage information used to authenticate identity claims. e. Logging and Auditing Logging and auditing functions and capabilities are important to the effectiveness of IdM solutions. Example auditing and compliance measures include maintaining security logs to satisfy accountability requirements, protecting and appropriately using personal information, and providing notification to the appropriate systems or entities (e.g., identity owners) 5.3 Identity management signaling and control functions Signaling and control functions are used to discover and communicate trusted identity information (e.g., identifiers, attributes, claims) associated with an entity (e.g., user/subscriber, group, organization, network element, service provider) to support IdM services, functions and capabilities. a. Discovery of Identity Information In an evolving and dynamic environment, identity information and their sources are also dynamic.hence relying parties and entities would need structured means to discover the identity information which also includes IdM function services and capabilities. Discovery also involves capabilities to include multiple IdP in NGN framework as there can be multiple IdPs. In situations where there is only one IdP (e.g. enterprise), there is no need for a discovery operation. b. IDM Communications This includes capabilities and functions to discover and exchange identity information (e.g., identifiers, credentials and attributes) associated with an entity's identity that is located in different network systems (e.g., in a subscription server, location server, presence server, etc.) within an Identity provider network that could be correlated and verified (i.e., by an IdM application server providing authentication and correlation functions) in order to provide identity assurance capabilities. 11

12 c. Correlation and binding The identity information (e.g., identifiers, credential and attributes) may be correlated to establish a binding to assure the identity of an entity. For example, the identity information associated with a subscriber (e.g., UserID), a subscriber device (e.g., DeviceID), and location information may be correlated to establish a binding to provide a higher assurance of the subscriber. d. Authentication Authentication is the process of establishing confidence in the binding between an identity and the entity. One means for achieving authentication assurance is to describe the objectives and guidelines necessary to quantify the risks that an entity is who or what it claims to be. This includes establishing which entity identifiers are more important than others in the identification process and why certain identifiers used in authentication should not have the same authentication value. e. User/subscriber functions and protection of PII End users/subscribers need to be provided with applicable institutive interfaces and capabilities to control their PII and make informed decisions and consent regarding their personal data. End users/subscribers should be able to express their privacy policies and preferences and negotiate the terms of data disclosure with the Identity Service provider. 6. AUTHENTICATION METHODS 6.1 Authentication can basically be understood by following categories: a. Something User is: biometrics (finger print or finger vein) b. Something User have: token, smart card c. Something User knows :Password, PIN 6.2 Three types of combined authentication methods are considered: a. Multifactor authentication: An authentication that uses multiple credentials from two or more of the three categories of authentication factors. For e.g. i. Authentication using one time password authentication that uses a hardware device and Security token. ii. Authentication by combination of PIN and Finger vein. iii. Combination of biometric and one time password authentication b. Multi-method authentication: An authentication that uses multiple credentials from same category of authentication methods. For e.g i. Combination of one time password and passphrase authentication ii.combination of fingerprint and finger vein authentication 12

13 c. Multiple authentication: An authentication that uses same credentials multiple times from the same authentication category of authentication methods. i.double password authentication ii.fingerprint authentication using multiple fingers 6.3 SIM Based Authentication: It is type of authentication from the authentication category of Something Users have. SIM with GBA (Generic Bootstrapping Authentication) and GAA (Generic Authentication Architecture) on network side can provide robust & convenient authentication mechanism for access of services and application from mobile devices. The users equipments authenticate themselves to the operator s GAA service by existing 3G or 2G authentication protocols, and in the process receive new keys which in turn allow access to application. Its main advantage is its ability to use existing 3G authentication mechanism. Figure below illustrates the basic mechanism of SIM based authentication. Here UE refers to User Equipment which is user mobile handset. The user logs on to access any application services and application server in turns authenticate directly using SIM through its authentication server. After completion of authentication a Unique ID is granted to SIM which in turn allows user to access the application. UID-Unique Identifier 13

14 7. Identity Management Services Identity management IDM enables in development of various applications such as: a. Federated services (e.g., access to services across different service providers or Identity Providers) Federated Identity Management extends the idea of Identity Management across company boundaries. It decouples identity authentication from providing services. For example, when you drive a car in another state, the state you're driving in accepts that your home state has verified your identity and your ability to drive. When you use a credit card, the merchant accepting the card trusts that another company has verified your creditworthiness. A financial institution might want to provide seamless access for their high-value clients to financial market information provided by a third-party research firm. b. Business applications Single sign-on and sign-off (e.g., access to multiple applications and services without having to individually authenticate each application or service platform).for e.g. A government agency wanted its citizens to have a single login to all of the Government services on the Internet and to be able to access services across the various Departments seamlessly. This single login improves a convenient experience for users, motivates them to use online transactions, and reduces the operational costs to transact within department branches. c. Identity-based services i. Identifier, credential and attribute services ii. bridging services (mapping and interworking of identity information in a heterogeneous Environment) iii. Pattern information services d. Security applications i. Access control for network and application services (e.g., VoIP, IPTV and data) ii. Role-based access control to information, resources and assets iii. Authorization and privilege management iv. Security protection services (e.g., security features to protect network infrastructure resources and users/subscribers identity information and assets) v. Protection of personally identifiable information (PII) 14

15 8. USE CASES a. Mobile Banking Customers Identity Authentication: Mobile banking has emerged as a significant financial services channel. Mobile banking and other financial services enable customers to pay bills on the fly, check and transfer balances and even trade stocks. The proliferation of new payments products - such as mobile applications, especially at the front end of the transactions, where initial access is gained - generates ongoing concern around data security, identify theft, fraud and other risk-related issues among consumers, businesses, regulators and payments professionals. Authentication server User Process Flow: Mobile Banking customer Identity authentication i. Mobile User logs on banking site via mobile device browser. ii. Based on pre arrangement, user is directed to authentication site as per financial institution agreement from identity service provider. iii. As per mechanism of IdSP (Identity Service provider), (e.g. VeriSign) credentials, necessary for authentication are provided to user. iv. IdSP validates the mobile client credentials (User credential and device credential (mobile phone number, one time password and other attributes). v. The mobile client is then authenticated and passed forward to banking system to allow access to the system to conduct financial transaction Categories covered: 15

16 Primary Authentication Federated Identity Management Single Sign on and off b. User delegation to access of personal data in public cloud i. Alice has subscribed to her own cloud storage provider and has created various files there containing personal data, one of which is her résumé or curriculum vitae (CV) file. Alice wishes to let B her friend read her CV file so she needs to delegate read access to him. Bob is not a subscriber to this particular cloud provider, and has no wish to register for yet another set of credentials for accessing yet another service. However Bob does have an account with an Identity Provider that is part of the same federation as the cloud provider, and is trusted by the cloud provider to correctly authenticate Bob. ii. Alice tells the cloud provider she wishes to delegate read access to a friend for a certain period of time, and the cloud provider returns a secret URL to her, which it has obtained from the delegation service. iii.alice gives this secret URL to her friend Bob. Bob clicks on the secret URL which connects him to the delegation service, where he is asked to authenticate via his existing IdP. Bob authenticates and the delegation service delegates him access to the CV file (for as long as Alice has determined). Bob can now contact the cloud provider at any time throughout this period. When he does, he is asked to authenticate, which he does via his existing IDP, and he is then granted read access to Alice CV. Once the delegation has expired he will no longer be granted access. The secret URL can be one-time use or multiple-use. In the later case Alice can give the secret URL to a group of people who will each be granted read access to her CV. 9. Identity Management in INDIA a. UIDAI: The UIDAI has been created with the mandate of providing unique identification number to all residents of India and defining usages and applicability of Aadhaar for delivery of various services. It also provides online authentication using demographic and biometric data. AADHAR Authentication offerings: i. Type 1 Authentication: Through this offering, service delivery agencies can use Aadhaar Authentication system for matching Aadhaar number and the demographic attributes (name, address, date of birth, etc) of a resident. ii. Type 2 Authentication: This offering allows service delivery agencies to authenticate residents through One-Time-Password (OTP) delivered to resident's 16

17 mobile number and/or address present in CIDR(Classless Inter Domain Routing) iii. Type 3 Authentication : Through this offering, service delivery agencies can authenticate residents using one of the biometric modalities, either iris or fingerprint iv. Type 4 Authentication: This is two factor authentication offering with OTP as one factor and fingerprint / iris (either iris or fingerprint) as second factor of authentication. v. Type 5 Authentication: This offering allows service delivery agencies to use OTP, fingerprint & iris together for authenticating residents Service delivery agencies should select the appropriate authentication type based on their business requirements and service delivery risks. c. E- Pramaan Project : It has been developed by department of Electronics and Information Technology to meet the increasing need of e- Authentication of users accessing online services through web/mobile. It provides a simple, convenient and secure way for the users to access government services via internet/mobile. Major components include: i. Identity Management (including credential registration) ii. E-Authentication iii. Single Sign on iv. Aadhaar based credential verification AUTHETICATION LEVELS: Four levels of authentication are being used: i. Level 0: No authentication for publicly available information ii. Level 1: User name and password based service. This is meant for low sensitivity service. iii. Level 2: Two factor authentication (User ID, password and OTP).Meant for PII for moderate level of security iv. Level 3: User ID and password and Digital certificate (hard/soft). Meant for high level of security services v. Level 4: User ID and password plus biometric authentication. Meant for highest level of security services 17

18 Central Government and State Government services will register with various service delivery gateways and will call epraman services for authentication before actual service will be invoked. 10. IDM related work in ITU Identity Management work in ITU-T is concentrated in two Study Groups: SG 17, which has been designated the Lead Study Group on Identity Management, and SG13, where some IdM work related to NGN networks has been completed. 18

19 11. CONCLUSION & Recommendations: Identity management In present scenarios of multiple identities and maze of passwords, end users and operators are facing problems of identity theft and management of various identities. Now people have to carry multiple cards, each with different set of information as every identity proof carry multiple information like in the case of PAN card, Aadhaar card,passport etc. Identity management allows operators to become a trusted provider in the world in which boundaries between web and network are increasingly blurred. It can provide efficient solution for management of multiple identities, for e.g. using single sign on off capability, federation services, strong authentication service etc. Hence there is need to create a managed solution of developing an entity which can carry all information, accessible through single mode in a complete and secure environment. Since SIM based identity management solutions are being standardized, TSP (Telecom Service provider) can play a important role in this regard. Government can serve as convener, facilitator and catalyst to develop a standard set of frameworks and operating rules at technical and policy level. DOT can also work with Deity for developing an efficient solution for delivering identity based government services on which authentication related activities can be dealt by DOT through TSP s for providing SIM based services and authentication mechanisms. Third party model with Multi factor authentication can be used to develop a combine set of solution for Identity Management in relation to Government of India. SIM based mechanism can be a suggested solution for DOT and multi factor authentication can also be integrated with SIM based authentication (login ID and password, fingerprint etc.) Considering above the recommendation is as below: Since SIM based authentication requires less user involvement, policy needs to be developed considering IdM which in turn will provide advantage to both TSP and end users. This will enhance the relevance of the TSP s in providing Application based web services as in addition to being a simply a bandwidth provider, they will also play a major role in user authentication. 19

20 Glossary IDM- Identity Management IDP-Identity Provider IDSP-Identity Service Provider SG-Study Group VOIP-Voice over Internet Protocol PII-Personal Identifiable Information NGN-Next Generation Network SP-Service Provider CIDR-Classless Inter Domain Routing 20

21 REFERENCES [1] ITU-T X.1252 Baseline identity management terms and definitions [2] ITU-T Y.2720 NGN Identity Management framework [3] ITU-T Y.2722 NGN Identity Management mechanisms [4] ITU-T Y.2721 Identity Management requirements and use cases [5] ITU-T X.1250 Series Supplement on overview of identity Management in the context of Cyber Security. [6] Nokia Siemens networks cem identity management white paper final [7] IDCloud-usecases-v1.0-cn01 [8] epramaan.gov.in/aboutep.jsp [9] [10] JP2005-AusCERTJP2005-AusCERT 21