Copyright1988-2006
1
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../EC/ IdMngtMyths06 {.html,.ppt}
Identity Management – 7-8 March 2006Sydney Convention & Exhibition Centre
Mythologies of Identity Control
Copyright1988-2006
2
1. Authentication
2. (Id)entities and (Id)entifiers
3. (Id)entities Managementand for People Not of
People
4. Nym Management
5. Biometrics Technologies
Mythologies of Identity Control
Copyright1988-2006
3
Authentication
The Process of Testing an Assertionin order to establish a level of
confidence in the Assertion’s reliability
Copyright1988-2006
4
Kinds of AssertionsRelevant to eBusiness
• About Data• About Value• About Location• About
Documents
• About Attributes• About
Principal-Agent Relationships
• About Entities• About Identities
Copyright1988-2006
5
Which Assertions Matter?
• Utilise Risk Assessment techniques to determine:
• Which Assertions• What level/strength of Authentication
Copyright1988-2006
6
Australian Government e-Authentication Framework (AGAF)
http://www.agimo.gov.au/infrastructure/authentication/agaf
• Decide what statements need to be authenticated
• Use risk assessment techniques in order todecide on the level of assurance needed
• From among the alternative e-authentication mechanisms, select an appropriate approach
• Assess the impact on public policy concernssuch as privacy and social equity
• Implement• Evaluate
Copyright1988-2006
7
NamesCodes
Roles
Identifier + Data-Items
Identity andAttributes
RealWorld
AbstractWorld
2. (Id)entities and (Id)entifiers
Copyright1988-2006
8
Entity andAttributes
RealWorld
AbstractWorld
Identifier + Data-Items
Identity andAttributes
Copyright1988-2006
9
Entity andAttributes
RealWorld
AbstractWorld
Entifier + Data-Items
Identifier + Data-Items
Identity andAttributes
Copyright1988-2006
10
Human (Id)entifiers• appearance how the person looks• social behaviour how the person interacts with others_________________________________________________________________________________________________________________
• names what the person is calledby other people
• codes what the person is calledby an organisation
_________________________________________________________________________________________________________________
• bio-dynamics what the person does• natural physiography what the person is• imposed physical what the person is now
characteristics
Copyright1988-2006
11
Imposed Biometrics“imposed physical identifiers ... branding, tattooing, implanted micro-chips”
Copyright1988-2006
12
Human Identity Authentication• What the Person Knows
e.g. mother’s maiden name, Password, PIN• What the Person Has
(‘Credentials’)e.g. a Token, such as an ‘ID-Card’, a Tickete.g. a Digital Token such as “a Digital Signature consistent with thePublic Key attested to by a Digital Certificate”
Human Entity Authentication• What the Person Is (Static Biometrics)
• What the Person Does (Dynamic Biometrics)
Copyright1988-2006
13
2. (Id)entities Management
A Working Definition
A set of processes and supporting infrastructurethat enable
the authentication of (id)entity assertions
The term is often used in a more restrictive sense,
to apply to the specific context ofonline access over open public networks
Copyright1988-2006
14
Phases inOnlineUser
Access Security
Pre-Authenticationof Evidence of
Identity or Attribute
Permissions Storeor Access
Control List
Authenticationusing the Issued
Authenticator
AuthorisationAccessControl
Registerof
Authenticators
Copyright1988-2006
15
User Access Securityfor a Single Application
ApplicationAccessControl
Copyright1988-2006
16
Single-Organisation ‘Single-SignOn’
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
Copyright1988-2006
17
Multi-Organisation ‘Single-SignOn’ ‘Identity Management’
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
Copyright1988-2006
18
Federated Identity Managementa la Liberty Alliance, WS-*
Identity Management
ServicesThe Internet
The Organisation’s
Web-Sites
Copyright1988-2006
19
Countermeasures by Individuals• Web-Forms can be filled with:
• pre-recorded data • convenient data• pseudo-random data • ‘false’ data
• Personal data can be automatically varied for each remote service, in order to detect data leakage, e.g. spelling-variants, numerical anagrams
• Personal data can be automatically varied for the same remote service on successive occasions (to pollute the data-store and confuse the userprofile)
• Users can exchange cookies, resulting in compound profiles rather than profiles that actually reflect an individual user's behaviour
Copyright1988-2006
20
Identity Managementby a User-Selected Intermediary
The Internet
Identity Management
Services
The Organisation’s
Web-Sites
Copyright1988-2006
21
User-Device Identity Management
The Internet
The Organisation’s
Web-Sites
Copyright1988-2006
22
User-Proxy Identity Management
The Internet
Identity Management
Service
Handheld
The Organisation’s
Web-Sites
Copyright1988-2006
23
Identity ManagementThe Multi-Mediated Super-
Architecture
The Internet
Handheld
Federated,Multi-Organisation Single-SignOn I.M.
User-Selected Intermediary I.M.
Own-Device and Own-Proxy I.M.
The Organisation’s
Web-Sites
Identity Management
Service
The Organisation’s
Web-Sites
Silo’dSingle-Organisation Single-SignOn I.M.
Copyright1988-2006
24
Entity andAttributes
RealWorld
AbstractWorld
Entifier + Data-Items
Identifier + Data-Items
Identity andAttributes
(Id)entities
Copyright1988-2006
25
4. Nyms
Entity and Attributes
Real World
Abstract World
Record:
Entifier + Data-Items
Record:
Identifier + Data-Items
Identity and Attributes
Record:
Nym + Data-Items
Identity and Attributes
m
n
m
n
1
1 1
n n n
Copyright1988-2006
26
NymOne or more attributes of an Identity(represented in transactions and records
as one or more data-items)sufficient to distinguish that Identity
from other instances of its classbut
not sufficient to enable association with a specific Entity
Pseudonym – association is not made, but possibleAnonym – association is not possible
Copyright1988-2006
27
Nymality is Normality
aka ('also-known-as'), alias, avatar, character, nickname, nom de guerre,
nom de plume, manifestation, moniker, personality, profile, pseudonym,
pseudo-identifier, sobriquet, stage-name
Cyberpace has adopted thoseand spawned more:
account, avatar, handle, nick, persona
Copyright1988-2006
28
Pseudo-PETsCounter-PITsSavage PETs
Gentle PETs
Seek a balance between nymity
and accountability through
Protected Pseudonymity
Privacy Enhancing Technologies (PETs)
Copyright1988-2006
29
Financial Times, 19 Feb 2006Interview with Bill Gatesre MS Identity Metasystem Architecture and InfoCard
“ ... the thing that says the government says I'm over 18 ... You can prove who you are to a third party and then, in the actual usage, they don't know who you are.“A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy”.
Copyright1988-2006
30
5. Biometrics Technologies
• Variously Dormant or Extinct
• Cranial Measures• Face Thermograms• Veins (hands, earlobes)• Retinal Scan• Handprint• Written Signature• Keystroke Dynamics• Skin Optical Reflectance• ...
• Currently in Vogue• Iris• Thumbprint• Hand Geometry• Voice• Face
• Special Case• DNA
• Promised• Body Odour• Multi-Attribute
Copyright1988-2006
31
Fraudulent Misrepresentationof the Efficacy of Face
Recognition
• The Tampa SuperBowl was an utter failure• Ybor City FL was an utter failure• Not one person was correctly identified by
face recognition technology in public places• Independent testing results are not available• Evidence of effectiveness is all-but non-existent• Ample anecdotal evidence exists of the opposite
Copyright1988-2006
32
Reference-Measure Quality
• The Person's Feature (‘Enrolment’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject and
Device• The Automated Processes
Copyright1988-2006
33
Association Quality
• Depends on a Pre-Authentication Process• Subject to the Entry-Point Paradox• Associates data with the ‘Person
Presenting’and hence Entrenches Criminal IDs
• Risks capture and use for Masquerade• Facilitates Identity Theft• Risk of an Artefact Substituted for,
or Interpolated over, the Feature
Copyright1988-2006
34
Test-Measure Quality
• The Person's Feature (‘Acquisition’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject and
Device• The Automated Processes
Copyright1988-2006
35
Comparison Quality
• Feature Uniqueness• Feature Change:
• Permanent• Temporary
• Ethnic/Cultural Bias“Our understanding of the demographic factors affecting biometric system performance is ... poor” (Mansfield & Wayman, 2002)
• Material Differences in:
• the Processes• the Devices• the Environment• the Interactions
• An Artefact:• Substituted• Interpolated
Copyright1988-2006
36
Result-Computation Quality• Print Filtering and Compression:
• Arbitrary cf. Purpose-Built• The Result-Generation Process• The Threshhold Setting:
• Arbitrary? Rational? Empirical? Pragmatic?
• Exception-Handling Procedures:• Non-Enrolment• Non-Acquisition• ‘Hits’
Copyright1988-2006
37
The Mythology of Identity AuthenticationThat’s Been Current Since 12 September
2001• Mohammad Atta’s rights:
• to be in the U.S.A.• to be in the airport• to be on the plane• to be within 4 feet of the cockpit
door• to use the aircraft’s controls
• Authentication of which assertion, in order to prevent the Twin Towers assault?
• Identity (1 among > 6 billion)?• Attribute (not 1 among half a dozen)?
Copyright1988-2006
38
Biometrics and Single-Mission Terrorists
• “Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004)
• “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)
Copyright1988-2006
39
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
Copyright1988-2006
40
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
Law and Order ExtremismNational Security Fundamentalism
Copyright1988-2006
41
Mythologies of Identity Control• That the assertions that
need to be authenticated are assertions of identity(cf. fact, value, attribute, agency and location)
• That individuals only have one identity
• That identity and entity are the same thing
• That biometric identification:
• works• is inevitable• doesn’t threaten
freedoms• will help much• will help at all in
counter-terrorism• Every organisation is part
of the national security apparatus
Copyright1988-2006
42
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../EC/ IdMngtMyths06 {.html,.ppt}
Identity Management – 7-8 March 2006Sydney Convention & Exhibition Centre
Mythologies of Identity Control