Идентификация - Identity Management (Германия - Fraunhofer FOKUS 2011)

Competence Center ELAN Fraunhofer FOKUS

Identity Management

Workshop: Russian-German Centre for Interoperable eGovernment Systems B li 10th J 2011

Petra Hoepner

Berlin, 10th January 2011

Petra Hoepner


Concept of identity managementCo cept o de t ty a age e tEvery person is many

2


Concept of identity managementCo cept o de t ty a age e tWhat is a digital identity?

Statements about a person

Long living identifier g g

Set of attributes that describe characteristics and permissions

People ha e diffe ent digital identitiesPeople have different digital identities for different purposes

The particular relevant one is being usedused

Usage requires that only the legitimate owner can use this identity

3


Concept of identity managementCo cept o de t ty a age e tVision: Citizens friendly identity management

Every citizen has a digital identity with various attributes, that he can use to carry y g y , yout interactions in the digital world.

He is free to decide to whom he leaves which attributes of his digital identity and for how long. He trusts in that the recipient of this information, e.g. the service provider is authentic.

The citi en is in cont ol of the flo of his pe sonal info mation e en ac ossThe citizen is in control of the flow of his personal information - even across domains.

If it is not necessary for the transaction to transmit personal attributes he canIf it is not necessary for the transaction to transmit personal attributes - he can refuse it.

It is easy for the citizen to use his digital identity and to select the appropriateIt is easy for the citizen to use his digital identity and to select the appropriate attributes for each transaction.

4


Dimension of Identity Management

Email-Access i b it

Dimension of Identity ManagementHeterogenous Landscape

User namePass ord

Online-Banking

via website Password

User namePassword

eGovernmentservices

Password

User namePassword

eCommerceservices

User namePassword

IPSec

Biometrics

WorkplacePhishingUser namePassword

Private

Fraud

Trojans

other

User namePassword

other


Identity Management StakeholdersIdentity Management StakeholdersApplication and management of secure electronic identities


Id tit F ti d S i

Secure Identity Management comprises:Identification/ R i t ti /

Identity Functions and Services

Secure Identity Management comprises:

Identification and Registration of users

Registration/at identity provider or service provider

Authentication of users, i.e. transmit and verify identities (who am I?)

Authorization of users for specific access (what

Authentication„Login“ –

Services, Websites, Communities

Man

am I allowed to do?)

Monitoring und Auditing of usage

M t f id titi l d i htAuthorizationRoles and rights

nagem

ent

Management of user identities, roles and rights (management of life cycle, sessions and security context)

Roles and rightsAllow / deny access

Monitoring and AuditingEvidence of usage


Evolution of Identity ManagementEvolution of Identity Management

F d t d Id

User centric IdentityUser centric and

Identity Convergence Trust and interoperability of

i id tit

SingleSignOn

Federated IdArchitectural approach: Identity as a set of attributes; Sharing

User-centric and service-centric identities match

various identity solutions and services

Username Password

g gSingle user-centric ID paired with many service-centric IDs

of service-centric IDs


Secure eIdentity LaboratorySecure eIdentity-LaboratoryCooperation of Fraunhofer FOKUS and the Bundesdruckerei

Goals: Provision of a process- and service oriented architecture for identity-related information.

Integration of various eIdentitytechnologies and solutions

Platform and a showcase for secure at o a d a s o case o secu edigital identities in innovative application scenarios


The New German ID Card e e Ge a Ca d

10


The New German ID Card e e Ge a Ca dElectronic functions

online ID function

new ID card was launched in Germany on 1 November 2010

online ID function

Sovereign ID function / optionally stored on chip

It combines the traditional ID d ith th l t i

qualified electronic signature (QES)

card with three new electronic functions

11


The German eIDThe German eIDInnovation – Mutual identification

The Service Provider has to register with a German authority to access the German eID card and its attributes like name, address and age.

Citizen Service Provider

Service Provider identifies itselfWith an authorization certificate Providert a aut o at o ce t cate

Citizen as well as the SP are trustworthy player within the

G ID f k Is the service

provider trustworthy?

Does the person really exist?

Citizen identifies herselfwith German eID

German eID framework


A thentication ith the Ge man eID ca dAuthentication with the German eID card

Service Provider

8

User authenticated 1Access Web site

7 Transfer ID-datato service provider

Redirect toeID-service provider

2

4

8

h d lCitizen4

3

Chip- and Terminal-Authentication

6T f ID d

4 Display forms

eID-Service Provider

Transfer ID-data

5Confirm ID-

First name

Last name

Age or:

forms

ProviderCodata with PIN

AgeID-secret + serviceprovider number= Pseudonym

...


Innovative applications Identity of person and carInnovative applications – Identity of person and carCar re-registration with the new German eID card and a future automotive card

Car re-registration incorporating the eID card and an e-paper based automotive cardautomotive card


Identity and PrivacyIdentity and Privacy myID.privat: Privacy based on trusted combination of identity attributes

Privacy and data security become more Privacy and data security become moreimportant in the virtual worldVision: anonymity and pseudonymity are possible with trusted electronic identitiesDesign of an infrastructure supporting privacy of personal dataAnalysis and development of technologies for the combination of attributesImplementation of privacy-supporting scenariosIntegration of the new German identity cardcard


S Id titi i th l d

eGovernment ServicesSecure authentication and

Secure Identities in the cloud

Social Networks

eBusiness Services

access using the identity card to built trust between provider and user of services

On

eSafe

eBusiness ServicesIdentity/Attribute Provider

services

Secure Identity in the Cloud

New German eID card

Secure Authentication and Access

New German eID card


Ch ll i l dChallenges in cloudsTrust Relations

TRUST


Ch ll i l dChallenges in cloudsIdentity services

Identification, User Provisioning

Single user or bulk provisioning, types of users, rapid turnaround

AuthenticationAuthentication

Secure authentication of internal privileged users (e.g. IT personnel)

Secure authentication of external users (e.g. citizen, business users)

B ilt i h i id tit t iBuilt-in mechanisms or identity management services

Federated identities, single-sign-on, user-centric approaches, delegation of identity

Access control

Authorization and access based on user credentials (user profiles, roles)

Authorization policy handling, authorization decisions, access control model

Auditingg

Provision of audit logs, liability

Privacy

Identity attributes data documents service usageIdentity attributes, data, documents, service usage


Missions for identity management ss o s o de t ty a age e tSecure eIdentity: Important Steps

Development of future-oriented and secure solutions for complex identities in the virtual world in conjunction with the new ID cardnew ID card Promote the secure and seamless media communication among heterogeneous systems based on standardized yprocedures / protocols Cross-border interoperabilityContextual use of identity attributesPrivacy-supporting technologiesCombining various industry approaches, standards and solutions

Modern industry states need an IT-infrastructure capable of managing l l t i id titi

19

securely electronic identities


P t HPetra Hoepner

Fraunhofer FOKUS Research Group eIdentityKaiserin-Augusta-Allee 31, 10589 Berlin,Germanyy

Tel +49 (30) 3463 7185Fax +49 (30) 3463 8000Fax +49 (30) 3463 8000

Internet: www.fokus.fraunhofer.deEmail: petra hoepner@fokus fraunhofer deEmail: [email protected]

Technology

Идентификация - Identity Management (Германия - Fraunhofer FOKUS 2011)