Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Approaches to Digital Identities in NGN
Identity Convergence forNGN platform and business
Joao Girao, Hidehito Gomi, Amardeo [email protected]
NEC
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 2
Digital Identities for NGN – BackgroundDigital Identities have made significant progress in the last years focus has been on the webHowever, identities in general are still very fragmented
Mobile phones use SIM cardsNo solutions across layers, especially missing: the networkThere exist a large number of name spaces: telephone numbers, email addresses, IP addresses, …..
Major issues are:A common view across layers is lackingStill too many inconsistent frameworksThe network has so far not played a major roleSecure and privacy across applications and layersStill too much coping with the password mess
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 3
Digital Identities – Growing Interest & Concern
Besides Liberty Alliance, many SDOs and Fora now also address identities
Examples: ITU-T, ETSI, OMA, 3GPP, IETF, IP Sphere ...Many new initiatives emerging
OpenID, MS CardSpace, Higgins, Focus Group at ITU-T, ...
Next round of EU projects in the 7th Framework address identity management linked to privacy in ICT 2007.1.4Increasing media attention, also on privacy concerns, some even seeing digital identities as a threatNew questions on dealing with digital and virtual identities, e.g. in connection with youth protection
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 4
Questions to be answeredHow can identity be developed towards a consistentconsistent and persistentpersistent element of our digital and even virtual lives?
How do we satisfy conflicting requirements of privacyprivacy, identificationidentification and securitysecurity?
How to we bring digital identities into Next Generation Next Generation NetworksNetworks?
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 5
Today: Identity FragmentationCurrent identity info of a user is distributed & duplicated among different platforms resulting in
Multiple sign-on procedures for a wide range of servicesInability to make good use of user related data (trail, presence, geo-location) across different platformsDifficulty for users to provide, retrieve and update all privacy info managed at each platform separately
Home Operator’s NGN Platform
ISP Platform
3rd Party Platforms
User’s Identity
Content Providers
Enterprise PlatformPartner Operator’s Platform
Presence data
Identity is missing
User’s Identity
Credit history Buying history
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 6
Tomorrow: Identity ConvergenceIn order to solve identity fragmentation,
Make a bridge between platformsintroduction of multi-personas per useroptimum deployment & life cycle mgt of them
Filter flow of identity info across the bridgeminimization of identity info disclosure from user’s viewpointmaking identity info obscure from operator’s viewpoint
Identity Creation
Home Operator’s NGN Platform
ISP PlatformIdentity Federation
3rd Party Platforms
User’s persona
Content Providers
Enterprise PlatformPartner Operator’s PlatformIdentity Exchange
NEC R&D
Partner in the Daidalos Project
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 8
Digital Identities for NGN – Daidalos (R&D) Growing numbers of communication services burden users with increasingly complex authentication effort Users want a limited number of operators enabling universal access to everything – ideally “single sign-on”Identity solutions need to support multiple (virtual) identities for several profiles, roles and contexts, the maintenance of these identities, respecting privacy, and all available services, networks, content, ... wherever the user may be.
The trusted operator becomes a proxy for billing which is a business in itself.Improved security through VIDs acting as pseudonyms
the service provider delivers without knowing the user.the trusted operator (e.g. operator or bank) knows the user but not the service.John Doe Service Provider
Operator
uses the service
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 9
Daidalos “Virtual Identity” Concept
Technical ChallengesTechnical ChallengesPrivacyUnified and UniformNamespacesAccess ControlBilling and ChargingLawful Interception
Physical Identity (Attributes: DNA, Fingerprint)
VirtualId
VirtualId
VirtualId
VirtualId
Privacy and/or Federation
Relational (“Issued”) Identity
Personal (Experiential) Identity(Attributes: Mood, Location, Behaviour)
Federation
Work Identity(employee Id)
Driver’sLicense
Customer Identity(C.C. number)
User Identity(userid, password,
email address)
Service end point identification
Service end point identification
Contract-alike relationships
Contract-alike relationships
The physical person
The physical personPhysical Identity (Attributes: DNA, Fingerprint)
VirtualId
VirtualId
VirtualId
VirtualId
Privacy and/or Federation
Relational (“Issued”) Identity
Personal (Experiential) Identity(Attributes: Mood, Location, Behaviour)
Federation
Work Identity(employee Id)
Driver’sLicense
Customer Identity(C.C. number)
User Identity(userid, password,
email address)
Service end point identification
Service end point identification
Contract-alike relationships
Contract-alike relationships
The physical person
The physical person
ObjectivesObjectivesLink real and digital worldsUser’s data should be under his controlService providers use of federation to enhance user experience
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 10
Daidalos: Cross layer designUniform namespaces (one ID for all purposes)
For network identificationTo obtain information about a user/service/groupUnder which to authenticate to the network and to the services
To maintain pseudonimity at a higher level, a top-down protocol design is requiredID must be independent of the application, service, interface and even terminal
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 11
Daidalos: Mobility Support
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 12
Federation models in Daidalos
NEC and Identity Management
Framework and Products
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 14
NEC: IdM Framework for NGNHome operator publishes interfaces for service/network access with SPsand partner operators.SPs (3rd party providers, enterprises, & ISPs) provide IT/network services with users.Operators provide network services in a cooperative manner.
SPs (Service Providers)
Home Operator
3rd PartyProvider
Registration/AuthN Req.
Service/network access
Partner Operators
ISPEnterprise
Publication of Certificates
(AuthN, Attributes) Verification
Issuance of Certificates
Users
Delegation Req. ofIdentity related services
Identity Related ServicesSuch as Charging/billing
IdP (Identity Provider)
Network services
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 15
NEC Technology: Group SignatureAuthentication mechanism that allows a verifier to verify the attribute of a user without identifying the user.
Visited Operator
New
Group signature
Verify membership of ISP
IDUsage log
accounting
Offline transfer
Encrypted ID
Authentication data(ZKIP)
ID ?
Current
Visited Operator
ID, PasswdHome
Operator
ID,Passwd
Always-on connectionfor active verification
accounting
Can be off-line
Home Operator
Learns IDand passwd
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 16
NEC Technology: Context Obfuscation
Context Obfuscation Technology supports privacy of context information based on user preferences handles context exchange within and across domains uniformly
Context Obfuscation ChallengesContext requires a structure that translates naturally to a blurring mechanismSemantics for context blurring need to be definedAdequate context distortion filters are required User interface must be simple and support decisions in a dynamicenvironmentUser must trust obfuscation behaviour
Ctx
Provider
Ctx Exchange
Ctx
Provider
Ctx Exchange
Domain ADomain B
Domain C Policy Management
Social Ctx:Friends near by
(Ann, Bob, Fred, Julie)
Social Ctx:Friends near by
(4 Friends)
Social Ctx:Friends Near By
(Some Friends close by)
Blurring of Ctx Information
Blurring of Ctx Information
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 17
Privacy Policy Negotiation FrameworkPrivacy policy confirmation for attributes exchangeDisclose the minimum set of attributes allowed by a user and providersMake a mutual agreement
What kinds of attributes to be exchangedHow to manage attributes
AttributeReceiver
AttributeSender(A) Send usage policy
(C) Return the result of comparison
R_PolicyReceiverPolicy
(B)Policy Comparison
Attributes
(E) Request attributes
(F) Send AttributesAttributes
Policy
R_PolicySenderPolicy
(D)ResultVerification
ResultUser
Register policies and attributes
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 18
NEC‘s Mobile AAA Suite
Single Sign-onMake authenticated services easier to use by reduce authentication requests
Identity FederationEnable sharing of data and authentication through building trust relationships between service providers
Identity ServiceMake complex services more attractive by enabling them to anticipate customer preference and need
Agent ChargingUse operator’s charging asset on behalf of content providers
Service & FunctionsService & Functions
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 19
NEC‘s Mobile AAA Suite
Single SignSingle Sign--onon
Welcome to the Airline Inc.
Login:
Password:
Ely1234
****
Accept
Airline Inc.
• Book a flight• Book a car• Book a room• Reserve a table• See railway timetable
Welcome Ellie.Your sign-on has completed.Select a service of your choice.
Login:
Password:
Restaurant
Find a nearby restaurant from categories below
• Seafood (16)• Pizza (11)• Steak (5)• Japanese (2)• French (6)
Login to Airline Inc.
Use restaurant reservation service with Single Sign-on
Choose your favorite restaurant from
categories
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 20
NEC‘s Mobile AAA Suite
Identity FederationIdentity Federation
Welcome to the Airline Inc.
Login:
Password:
Ely1234
****
Accept
Airline Inc.
1. Booking on the day2. Seat availability3. Campaign information4. Mileage club5. Link to other services
Double-mile campaign in this summer
Airline Inc.
Car Rental Inc.
Hotel Reservation Inc.
Restaurant Inc.
Train Guide
Double-mile campaign in this summer
LINK
Car Rental
Login:
Password: Ely0101
****
Accept
Please put your ID & P/W, and click “Accept” to complete your account links.
Hotel Reservation
Login:
Password: Ely0101
****
Accept
Please put your ID & P/W, and click “Accept” to complete your account links.
Restaurant
Login:
Password: Ely05698
****
Accept
Please put your ID & P/W, and click “Accept” to complete your account links.
Train Guide
Login:
Password: Ely0101
****
Accept
Please put your ID & P/W, and click “Accept” to complete your account links.
Airline Inc.
• Book a flight• Book a car• Book a room• Reserve a table• See railway timetable
Welcome back Ellie.Your sign-on has completed.Select a service of your choice.
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 21
ID Federation Requirements by Mobile OperatorsMobile terminals have limitations:
“Cookies” and SSL are not always supported,Communication bandwidth and stability are limited.
Mobile terminals need to access the Service / Identity Provider via a proxy.However, mobile terminals are always authenticated by the mobile network when they access the network.The proxy should have access to the authentication status and to session information.The proxy and IdP are usually located in the same security domain to be able to share information.
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 22
NEC‘s Proxy with SAML2.0 Enhanced Proxy
Mobile Network
Other Systems
IdPProxy
WAP-gateway
SP
Service Platform
Liberty related entities
System offered by NEC
TME’s domain
Principal
(EP)
SP: Service Provider
IdP: Identity Provider
EP: Enhanced Proxy
Identity Management System for Mobile Operator Identity Management System for Mobile Operator
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 23
Summary of Proxy FeaturesAuthentication information maintained by the mobile network is used for Liberty’s SSOProxy offers SSL for terminals without SSL
Mobile clients authenticated by the mobile network when they access the networkThe proxy and IdP are usually located in the same security domain.
Proxy offers session information to the Identity Provider
14 February 2007 © NEC Corporation 2007 - Approaches to Digital Identities in NGN 24
ConclusionsDigital Identities are becoming more important beyond the Web: In mobile business, especially NGNNEC has strong experience digital identities
Delivering core technology products of identity business:NEC’s enhanced proxy (LEP) for mobile operators / IdPsNEC’s Mobile AAA suite
Digital (virtual) identities in EU Research projects, e.g. DaidalosStandards contributions, e.g. Liberty Alliance and ITU-T
World-wide presence for promotion:ITU-T Conference in Hongkong, Dec. 2006ITU-T Digital Identity for NGN Workshop Dec. 20063GSM Conference in Barcelona, Feb. 2007
NEC is your partner in the digital identity businessNEC is your partner in the digital identity business
Approaches to Digital Identities in NGN
Identity Convergence forNGN platform and business
Joao Girao, Hidehito Gomi, Amardeo [email protected]
NEC