Approaches to Digital Identities in NGN Identity

Approaches to Digital Identities in NGN

Identity Convergence forNGN platform and business

Joao Girao, Hidehito Gomi, Amardeo [email protected]

NEC

14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 2

Digital Identities for NGN – BackgroundDigital Identities have made significant progress in the last years focus has been on the webHowever, identities in general are still very fragmented

Mobile phones use SIM cardsNo solutions across layers, especially missing: the networkThere exist a large number of name spaces: telephone numbers, email addresses, IP addresses, …..

Major issues are:A common view across layers is lackingStill too many inconsistent frameworksThe network has so far not played a major roleSecure and privacy across applications and layersStill too much coping with the password mess


Digital Identities – Growing Interest & Concern

Besides Liberty Alliance, many SDOs and Fora now also address identities

Examples: ITU-T, ETSI, OMA, 3GPP, IETF, IP Sphere ...Many new initiatives emerging

OpenID, MS CardSpace, Higgins, Focus Group at ITU-T, ...

Next round of EU projects in the 7th Framework address identity management linked to privacy in ICT 2007.1.4Increasing media attention, also on privacy concerns, some even seeing digital identities as a threatNew questions on dealing with digital and virtual identities, e.g. in connection with youth protection


Questions to be answeredHow can identity be developed towards a consistentconsistent and persistentpersistent element of our digital and even virtual lives?

How do we satisfy conflicting requirements of privacyprivacy, identificationidentification and securitysecurity?

How to we bring digital identities into Next Generation Next Generation NetworksNetworks?


Today: Identity FragmentationCurrent identity info of a user is distributed & duplicated among different platforms resulting in

Multiple sign-on procedures for a wide range of servicesInability to make good use of user related data (trail, presence, geo-location) across different platformsDifficulty for users to provide, retrieve and update all privacy info managed at each platform separately

Home Operator’s NGN Platform

ISP Platform

3rd Party Platforms

User’s Identity

Content Providers

Enterprise PlatformPartner Operator’s Platform

Presence data

Identity is missing

User’s Identity

Credit history Buying history


Tomorrow: Identity ConvergenceIn order to solve identity fragmentation,

Make a bridge between platformsintroduction of multi-personas per useroptimum deployment & life cycle mgt of them

Filter flow of identity info across the bridgeminimization of identity info disclosure from user’s viewpointmaking identity info obscure from operator’s viewpoint

Identity Creation

Home Operator’s NGN Platform

ISP PlatformIdentity Federation

3rd Party Platforms

User’s persona

Content Providers

Enterprise PlatformPartner Operator’s PlatformIdentity Exchange

NEC R&D

Partner in the Daidalos Project


Digital Identities for NGN – Daidalos (R&D) Growing numbers of communication services burden users with increasingly complex authentication effort Users want a limited number of operators enabling universal access to everything – ideally “single sign-on”Identity solutions need to support multiple (virtual) identities for several profiles, roles and contexts, the maintenance of these identities, respecting privacy, and all available services, networks, content, ... wherever the user may be.

The trusted operator becomes a proxy for billing which is a business in itself.Improved security through VIDs acting as pseudonyms

the service provider delivers without knowing the user.the trusted operator (e.g. operator or bank) knows the user but not the service.John Doe Service Provider

Operator

uses the service


Daidalos “Virtual Identity” Concept

Technical ChallengesTechnical ChallengesPrivacyUnified and UniformNamespacesAccess ControlBilling and ChargingLawful Interception

Physical Identity (Attributes: DNA, Fingerprint)

VirtualId

VirtualId

VirtualId

VirtualId

Privacy and/or Federation

Relational (“Issued”) Identity

Personal (Experiential) Identity(Attributes: Mood, Location, Behaviour)

Federation

Work Identity(employee Id)

Driver’sLicense

Customer Identity(C.C. number)

User Identity(userid, password,

email address)

Service end point identification


Contract-alike relationships


The physical person

The physical personPhysical Identity (Attributes: DNA, Fingerprint)

VirtualId

VirtualId

VirtualId

VirtualId

Privacy and/or Federation

Relational (“Issued”) Identity

Personal (Experiential) Identity(Attributes: Mood, Location, Behaviour)

Federation

Work Identity(employee Id)

Driver’sLicense

Customer Identity(C.C. number)

User Identity(userid, password,

email address)





The physical person

The physical person

ObjectivesObjectivesLink real and digital worldsUser’s data should be under his controlService providers use of federation to enhance user experience


Daidalos: Cross layer designUniform namespaces (one ID for all purposes)

For network identificationTo obtain information about a user/service/groupUnder which to authenticate to the network and to the services

To maintain pseudonimity at a higher level, a top-down protocol design is requiredID must be independent of the application, service, interface and even terminal


Daidalos: Mobility Support


Federation models in Daidalos

NEC and Identity Management

Framework and Products


NEC: IdM Framework for NGNHome operator publishes interfaces for service/network access with SPsand partner operators.SPs (3rd party providers, enterprises, & ISPs) provide IT/network services with users.Operators provide network services in a cooperative manner.

SPs (Service Providers)

Home Operator

3rd PartyProvider

Registration/AuthN Req.

Service/network access

Partner Operators

ISPEnterprise

Publication of Certificates

(AuthN, Attributes) Verification

Issuance of Certificates

Users

Delegation Req. ofIdentity related services

Identity Related ServicesSuch as Charging/billing

IdP (Identity Provider)

Network services


NEC Technology: Group SignatureAuthentication mechanism that allows a verifier to verify the attribute of a user without identifying the user.

Visited Operator

New

Group signature

Verify membership of ISP

IDUsage log

accounting

Offline transfer

Encrypted ID

Authentication data（ZKIP）

ID ?

Current

Visited Operator

ID, PasswdHome

Operator

ID,Passwd

Always-on connectionfor active verification

accounting

Can be off-line

Home Operator

Learns IDand passwd


NEC Technology: Context Obfuscation

Context Obfuscation Technology supports privacy of context information based on user preferences handles context exchange within and across domains uniformly

Context Obfuscation ChallengesContext requires a structure that translates naturally to a blurring mechanismSemantics for context blurring need to be definedAdequate context distortion filters are required User interface must be simple and support decisions in a dynamicenvironmentUser must trust obfuscation behaviour

Ctx

Provider

Ctx Exchange

Ctx

Provider

Ctx Exchange

Domain ADomain B

Domain C Policy Management

Social Ctx:Friends near by

(Ann, Bob, Fred, Julie)

Social Ctx:Friends near by

(4 Friends)

Social Ctx:Friends Near By

(Some Friends close by)

Blurring of Ctx Information

Blurring of Ctx Information


Privacy Policy Negotiation FrameworkPrivacy policy confirmation for attributes exchangeDisclose the minimum set of attributes allowed by a user and providersMake a mutual agreement

What kinds of attributes to be exchangedHow to manage attributes

AttributeReceiver

AttributeSender(A) Send usage policy

(C) Return the result of comparison

R_PolicyReceiverPolicy

（B）Policy Comparison

Attributes

(E) Request attributes

(F) Send AttributesAttributes

Policy

R_PolicySenderPolicy

（D）ResultVerification

ResultUser

Register policies and attributes


NEC‘s Mobile AAA Suite

Single Sign-onMake authenticated services easier to use by reduce authentication requests

Identity FederationEnable sharing of data and authentication through building trust relationships between service providers

Identity ServiceMake complex services more attractive by enabling them to anticipate customer preference and need

Agent ChargingUse operator’s charging asset on behalf of content providers

Service & FunctionsService & Functions



Single SignSingle Sign--onon

Welcome to the Airline Inc.

Login:

Password:

Ely1234

****

Accept

Airline Inc.

• Book a flight• Book a car• Book a room• Reserve a table• See railway timetable

Welcome Ellie.Your sign-on has completed.Select a service of your choice.

Login:

Password:

Restaurant

Find a nearby restaurant from categories below

• Seafood (16)• Pizza (11)• Steak (5)• Japanese (2)• French (6)

Login to Airline Inc.

Use restaurant reservation service with Single Sign-on

Choose your favorite restaurant from

categories



Identity FederationIdentity Federation

Welcome to the Airline Inc.

Login:

Password:

Ely1234

****

Accept

Airline Inc.

1. Booking on the day2. Seat availability3. Campaign information4. Mileage club5. Link to other services

Double-mile campaign in this summer

Airline Inc.

Car Rental Inc.

Hotel Reservation Inc.

Restaurant Inc.

Train Guide

Double-mile campaign in this summer

LINK

Car Rental

Login:

Password: Ely0101

****

Accept

Please put your ID & P/W, and click “Accept” to complete your account links.

Hotel Reservation

Login:

Password: Ely0101

****

Accept


Restaurant

Login:

Password: Ely05698

****

Accept


Train Guide

Login:

Password: Ely0101

****

Accept


Airline Inc.

• Book a flight• Book a car• Book a room• Reserve a table• See railway timetable

Welcome back Ellie.Your sign-on has completed.Select a service of your choice.


ID Federation Requirements by Mobile OperatorsMobile terminals have limitations:

“Cookies” and SSL are not always supported,Communication bandwidth and stability are limited.

Mobile terminals need to access the Service / Identity Provider via a proxy.However, mobile terminals are always authenticated by the mobile network when they access the network.The proxy should have access to the authentication status and to session information.The proxy and IdP are usually located in the same security domain to be able to share information.


NEC‘s Proxy with SAML2.0 Enhanced Proxy

Mobile Network

Other Systems

IdPProxy

WAP-gateway

SP

Service Platform

Liberty related entities

System offered by NEC

TME’s domain

Principal

(EP)

SP: Service Provider

IdP: Identity Provider

EP: Enhanced Proxy

Identity Management System for Mobile Operator Identity Management System for Mobile Operator


Summary of Proxy FeaturesAuthentication information maintained by the mobile network is used for Liberty’s SSOProxy offers SSL for terminals without SSL

Mobile clients authenticated by the mobile network when they access the networkThe proxy and IdP are usually located in the same security domain.

Proxy offers session information to the Identity Provider


ConclusionsDigital Identities are becoming more important beyond the Web: In mobile business, especially NGNNEC has strong experience digital identities

Delivering core technology products of identity business:NEC’s enhanced proxy (LEP) for mobile operators / IdPsNEC’s Mobile AAA suite

Digital (virtual) identities in EU Research projects, e.g. DaidalosStandards contributions, e.g. Liberty Alliance and ITU-T

World-wide presence for promotion:ITU-T Conference in Hongkong, Dec. 2006ITU-T Digital Identity for NGN Workshop Dec. 20063GSM Conference in Barcelona, Feb. 2007

NEC is your partner in the digital identity businessNEC is your partner in the digital identity business

Approaches to Digital Identities in NGN

Identity Convergence forNGN platform and business

Joao Girao, Hidehito Gomi, Amardeo [email protected]

NEC

Documents

Approaches to Digital Identities in NGN Identity