Identity management [TSA]

Identity management

Telecom Engineering Centre

TSA Division |

2

INDEX

1. Introduction…………………………………………………….3

2. Terminologies………………………………………………….3

3. Overview of Identity Management…………………………....4

4. Identity Management Models…………………………..……...6

5. Identity management framework……………………………….8

6. Authentication Methods………………………………………12

7. Identity Management services………………………………...14

8. Use Cases……………………………………………………...15

9. IDM in India…………………………………………………..16

10. IDM in ITU……………………………………………………18

11. Conclusion……………………………………………………19

12. Glossary………………………………………………………20

13. References…………………………………………………….21

Identity management

Telecom Engineering Centre

TSA Division |

3

1. INTRODUCTION

The rapid growth in the number of online services has lead to in an increasing number

of different identities that each user needs to manage. As a result, many people feel

overloaded with identities and suffer from password fatigue. This is a serious problem

and makes people unable to control and protect their digital identities against identity

theft. As organization grows and add services such as ecommerce and global remote

access of services, controlling who is accessing what kind of information is also

becoming a more difficult task .Hence to manage and secure Identities including

maintenance of access based services, identity management can provide the solution.

1.1 DEFINITION

Set of functions and capabilities (e.g., administration, management and maintenance,

discovery, communication exchanges, correlation and binding, policy enforcement,

authentication and assertions) used for:

Assurance of the identity of an entity (e.g., users/subscribers, groups, user

devices, Organizations, network and service providers, network elements and

objects, and virtual Objects), and enabling business and security applications.

Assurance of identity information (e.g., identifiers, credentials, attributes)

Thus Identity management has mainly two parts:

i. Issuing users with credentials and unique identifiers during initial registration

phase.

ii. Authenticating users and controlling their access to services and resources

based on their identifiers & credentials during service operation.

2. Basic Terminologies

a. Entity: A separate and distinct existence of object within a context. For example

subscribers, users, network elements, networks, software and elements, services,

devices and interfaces etc.

b.Attributes: Information bound to an entity which specifies features and

characteristic of an entity such as condition, quality or any information associated

with the entity.

c.Identifier: One or more attributes used to identify an entity within a context.

Identity management

Telecom Engineering Centre

TSA Division |

4

d.Identity: The representation of entity in form of information elements, which allow

entities to be sufficiently distinguished within a particular context.

e.Credential: An identifiable object that can be used to authenticate the claimant is

what it claim to be and to authorize the claimants’ access rights.

d.Identity Service Provider: An entity that verifies, maintains, manages and may

create and assign identity information of other entities. It is also responsible for

assigning the attributes to entity.

Correspondence between entities, identities and identifiers

The figure above illustrates that an entity, such as a person or an organization, may

have multiple identities and each identity may consist of multiple characteristics that

can be unique or non-unique identifiers.

3. OVERVIEW OF IDENTITY MANAGEMENT

Identity management

Telecom Engineering Centre

TSA Division |

5

Above figure shows the following:

a. Entities: In a NGN environment where services are based on contexts and roles and accessed

anywhere, anytime, and from any device, multiple forms of identity-related

information may be associated with an entity. In addition, an entity may have one or

more identities based on context. Example entities include:

User and subscribers.

User devices, network elements and objects.

Organizations, groups, business enterprises and government enterprises

Network and service providers.

Virtual objects

b. Identity information: The identity information associated with an entity can be grouped as follows:

• Identifiers (e.g., subscription account, network element addresses, service provider

Identifier).

• Attributes (e.g., email addresses, telephone numbers, URI, IP addresses, roles,

claims, Privileges, authentication method, patterns and location).

• Credentials (e.g., digital certificates and tokens).

c. IdM functions and capabilities:

IdM functions and capabilities are used to increase confidence in identity information

of an entity and support or enhance business and security applications including

identity-based services.

Example IdM functions and capabilities are:

• Identity lifecycle management.

• Identity information organization, correlation and binding.

• Authentication, authentication assurance and assertion.

• Discovery and exchange of identity information.

• Functions and capabilities to bridge different IdM systems to facilitate

interoperability.

d. Business and security applications:

IdM functions and capabilities support and may help to enhance business and security

applications using identity based services.

Identity management

Telecom Engineering Centre

TSA Division |

6

4. Identity Management models:

a. Basic query/response information exchange process

This is basic form of model based upon basic-query and response process based on

some agreed upon protocol and information. This is common identity management

model on which let service provider’s act as both credential provider and identifier

provider to their clients. They control the name space for a specific service domain,

and allocate identifiers to users. A user gets separate unique identifiers from each

service/identifier provider he transacts with. In addition, each user will have separate

credentials, such as passwords associated with each of their identifiers. This model

can also be called isolated user identity management.

b. Three party identity management model

Most of systems involve complex models, where the relying party who receives the

claim is not the identity service provider. The function of identity service provider is

separated from relying party and relying party after having certain level of

authentication assurance, evaluates the response from the identity service provider.

The most common example of this model is online Banking Transaction system

which is later elaborated in this paper.

Identity management

Telecom Engineering Centre

TSA Division |

7

c. Federated User Identity Model:

Identity federation can be defined as the set of agreements, standards and

technologies that enable a group of service providers to recognize user identifiers and

entitlements from other service providers within a federated domain. In a federated

identity domain, agreements are established between SPs (Identity provider) so that

identities from different SP specific identity domains are recognized across all

domains. These agreements include policy and technology standards. A mapping is

established between different identifiers owned by the same client in different

domains that links the associated identities. This results in a single virtual identity

domain, as illustrated in above figure. When a user is authenticated to a single service

provider using one of their identifiers, they are considered to have been identified and

authenticated with all the other service providers as well. This happens by passing

assertions between service providers. Thus user once registered to one SP can access

the service of other SP’s within same federated domain.

The most familiar example of federated identity is ATM machines. We take for

granted that we can go to almost any ATM machine, both at home and abroad, and

use an ATM card to obtain money. Most banks will honor ATM cards issued by other

banks because of trust relationships that exist between the banks and standardized

protocols for performing the ATM transactions.

d. User-centric identity management model

"User-centric" models (i.e., that require full requesting party control be enabled over

use of their identities) are receiving significant attention and may also be mandated in

national and regional jurisdictions. All queries/responses are directed through the

requesting party. User-centric identity management approaches have received

significant attention for managing private and critical identity attributes. User-centric

Identity management

Telecom Engineering Centre

TSA Division |

8

identity management allows users to control their own digital identities. Users are

allowed to select their credentials when responding to authenticator or attribute

requester; this gives users more rights and responsibility over their identity

information. However, current user centric approaches mainly focus on interoperable

architectures between existing identity management systems without considering

privacy issues in depth. By allowing a user to control their own digital identities, the

user can decide which identity attributes are needed to share with other trusted parties

and under what circumstance. As the users have more rights and responsibilities over

their identity information, it provides better protection of the user’s private

information.

5. IdM Framework

The framework consists of the following IdM functions and capabilities:

a. Identity lifecycle management:

Identity lifecycle management involves the processes and procedures associated with

the enrolment and issuance of identity data and information associated with an

identity of an entity.

b. Identity management (IdM) operation, administration, maintenance and provisioning (OAM&P) functions:

This includes operation, administration, maintenance and provisioning (OAM&P)

Management functions and capabilities specifically related to the support of IdM. OAM&P

is a group of management functions that provide system or network fault indication,

Identity management

Telecom Engineering Centre

TSA Division |

9

performance monitoring, security management, diagnostic functions, configuration

and user provisioning).

c. Identity management (IdM) signaling and control functions:

This includes signaling and control functions and capabilities used for the support of

IdM services, capabilities and functions. This includes signaling and control for both

real-time and near-real time communications.

d. Identity management (IdM) federated identity functions:

This includes functions and capabilities for identity federation and support of

federated Services.

e. Identity management (IdM) user and subscriber functions:

This includes functions and processes related to control by end users and subscribers

of their identity related information (e.g., PII, personal preferences and location). This

includes functions to control, delegate and authorize the use and dissemination of

Identity-related information.

f. Identity management (IdM) performance, reliability, and scalability:

This includes functions and procedures addressing performance, reliability and

scalability of IdM systems and solutions.

g. Identity management (IdM) security:

This includes functions and procedures addressing the security protection of IdM

systems, services and capabilities.

5.1 Identity Lifecycle Management

a. Proofing and Enrolment

This is the first step in creating identity for an entity (e.g., subscriber, device,

organization, identity provider or object).This is the process where applicant applies

to become subscriber of an Identity Provider.

Proofing includes verifying attributes and claims associated with an identity. It

involves processes and procedures to verify and validate information when enrolling

an entity into an identity system

Identity management

Telecom Engineering Centre

TSA Division |

10

b.Issuance and Revocation

Successful completion of the enrolment process results in the granting of a means

(e.g., a credential) by which the entity can be authenticated in the future. For

example, the issuance of a credential(s) by an IdP binds it to the identity or related

attribute (e.g., privilege or claim) of the identity associated with an entity.

Identity revocation is the process of rescinding an identity and the associated

credentials. The party or system (e.g., IdP provider) that issues an identity or

credential is responsible for the maintenance and protection of the information

associated with the identity. Revocation is required to prevent the continued use of an

identity or credential that is no longer valid or has a security breach.

5.2 Identity management OAM&P functions

a. Data model and schema

Each NGN provider, federation or enterprise may have its own formats, schemas,

definitions or semantics to represent and share identity-related data and information.

Data model should be such that to facilitate interoperability between heterogeneous

IdM systems (e.g., identity data sources) within an Identity provider domain (i.e.,

different supplier products), between different Identity providers (inter-network),

between different federations (e.g., Identity provider and web-services providers).

b. Identifier Management

An identifier is any designation that is used to represent the identity of an entity, such

as a user ID, a network ID, an e-mail address, a pseudonym, a group name, etc. The

overall effectiveness of IdM depends on the assurance of the individual identifiers

that may be correlated and bound to assure the identity of an entity.

c. Attribute Management

Identity attributes are descriptors of an entity, such as entity type, preferred IP

address, domain, address information, telephone number. Attributes may also contain

claims, rights, privileges, delegate lists, and special restrictions

The effectiveness of IdM would depend on the assurance of attributes that may be

correlated and bound to assure the identity of an entity. This includes storing and

provisioning of attributes. Therefore, well-defined requirements and procedures for

the management of attributes are necessary to be put in place.

Identity management

Telecom Engineering Centre

TSA Division |

11

d. Credential Management

Credentials are used to authenticate the claimed identity. Credential includes Token,

UserID, passwords, digital certificates, Security Matrix, biometric. Entity credential

management encompasses the operational activities to create, issue, and manage

information used to authenticate identity claims.

e. Logging and Auditing

Logging and auditing functions and capabilities are important to the effectiveness of

IdM solutions. Example auditing and compliance measures include maintaining

security logs to satisfy accountability requirements, protecting and appropriately

using personal information, and providing notification to the appropriate systems or

entities (e.g., identity owners)

5.3 Identity management signaling and control functions

Signaling and control functions are used to discover and communicate trusted identity

information (e.g., identifiers, attributes, claims) associated with an entity (e.g.,

user/subscriber, group, organization, network element, service provider) to support

IdM services, functions and capabilities.

a. Discovery of Identity Information

In an evolving and dynamic environment, identity information and their sources are

also dynamic .Hence relying parties and entities would need structured means to

discover the identity information which also includes IdM function services and

capabilities.

Discovery also involves capabilities to include multiple IdP in NGN framework as

there can be multiple IdPs. In situations where there is only one IdP (e.g. enterprise),

there is no need for a discovery operation.

b. IDM Communications

This includes capabilities and functions to discover and exchange identity

information (e.g., identifiers, credentials and attributes) associated with an entity's

identity that is located in different network systems (e.g., in a subscription server,

location server, presence server, etc.) within an Identity provider network that could

be correlated and verified (i.e., by an IdM application server providing authentication

and correlation functions) in order to provide identity assurance capabilities.

Identity management

Telecom Engineering Centre

TSA Division |

12

c. Correlation and binding

The identity information (e.g., identifiers, credential and attributes) may be correlated

to establish a binding to assure the identity of an entity. For example, the identity

information associated with a subscriber (e.g., UserID), a subscriber device (e.g.,

DeviceID), and location information may be correlated to establish a binding to

provide a higher assurance of the subscriber.

d. Authentication

Authentication is the process of establishing confidence in the binding between an

identity and the entity. One means for achieving authentication assurance is to

describe the objectives and guidelines necessary to quantify the risks that an entity is

who or what it claims to be. This includes establishing which entity identifiers are

more important than others in the identification process and why certain identifiers

used in authentication should not have the same authentication value.

e. User/subscriber functions and protection of PII

End users/subscribers need to be provided with applicable institutive interfaces and

capabilities to control their PII and make informed decisions and consent regarding

their personal data. End users/subscribers should be able to express their privacy

policies and preferences and negotiate the terms of data disclosure with the Identity

Service provider.

6. AUTHENTICATION METHODS

6.1 Authentication can basically be understood by following categories:

a. Something User is: biometrics (finger print or finger vein)

b. Something User have: token , smart card

c. Something User knows :Password , PIN

6.2 Three types of combined authentication methods are considered:

a. Multifactor authentication: An authentication that uses multiple credentials from

two or more of the three categories of authentication factors. For e.g.

i. Authentication using one time password authentication that uses a hardware

device and Security token.

ii. Authentication by combination of PIN and Finger vein.

iii. Combination of biometric and one time password authentication

b. Multi-method authentication: An authentication that uses multiple credentials

from same category of authentication methods. For e.g

i. Combination of one time password and passphrase authentication

ii.Combination of fingerprint and finger vein authentication

Identity management

Telecom Engineering Centre

TSA Division |

13

c. Multiple authentication: An authentication that uses same credentials multiple

times from the same authentication category of authentication methods.

i.Double password authentication

ii.Fingerprint authentication using multiple fingers

6.3 SIM Based Authentication:

It is type of authentication from the authentication category of “Something Users

have”.

SIM with GBA (Generic Bootstrapping Authentication) and GAA (Generic

Authentication Architecture) on network side can provide robust & convenient

authentication mechanism for access of services and application from mobile

devices. The users’ equipments authenticate themselves to the operator’s GAA

service by existing 3G or 2G authentication protocols, and in the process receive

new keys which in turn allow access to application. Its main advantage is its ability

to use existing 3G authentication mechanism.

Figure below illustrates the basic mechanism of SIM based authentication. Here UE

refers to User Equipment which is user mobile handset. The user logs on to access

any application services and application server in turns authenticate directly using

SIM through its authentication server. After completion of authentication a Unique

ID is granted to SIM which in turn allows user to access the application.

UID-Unique Identifier

Identity management

Telecom Engineering Centre

TSA Division |

14

7. Identity Management Services

IDM enables in development of various applications such as:

a. Federated services (e.g., access to services across different service providers or

Identity Providers) Federated Identity Management extends the idea of Identity

Management across company boundaries. It decouples identity authentication from

providing services. For example, when you drive a car in another state, the state

you're driving in accepts that your home state has verified your identity and your

ability to drive. When you use a credit card, the merchant accepting the card trusts

that another company has verified your creditworthiness. A financial institution

might want to provide seamless access for their high-value clients to financial

market information provided by a third-party research firm.

b. Business applications

Single sign-on and sign-off (e.g., access to multiple applications and services

without having to individually authenticate each application or service platform).For

e.g. A government agency wanted its citizens to have a single login to all of the

Government services on the Internet and to be able to access services across the

various Departments seamlessly. This single login improves a convenient

experience for users, motivates them to use online transactions, and reduces the

operational costs to transact within department branches.

c. Identity-based services

i. Identifier, credential and attribute services

ii. bridging services (mapping and interworking of identity information in a

heterogeneous Environment)

iii. Pattern information services

d. Security applications

i. Access control for network and application services (e.g., VoIP, IPTV and

data)

ii. Role-based access control to information, resources and assets

iii. Authorization and privilege management

iv. Security protection services (e.g., security features to protect network

infrastructure resources and users/subscribers identity information and

assets)

v. Protection of personally identifiable information (PII)

Identity management

Telecom Engineering Centre

TSA Division |

15

8. USE CASES

a. Mobile Banking Customers Identity Authentication:

Mobile banking has emerged as a significant financial services channel. Mobile

banking and other financial services enable customers to pay bills on the fly, check

and transfer balances and even trade stocks. The proliferation of new payments

products - such as mobile applications, especially at the front end of the transactions,

where initial access is gained - generates ongoing concern around data security,

identify theft, fraud and other risk-related issues among consumers, businesses,

regulators and payments professionals.

Mobile Banking customer Identity authentication

Process Flow:

i. Mobile User logs on banking site via mobile device browser.

ii. Based on pre arrangement, user is directed to authentication site as per

financial institution agreement from identity service provider.

iii. As per mechanism of IdSP (Identity Service provider), (e.g. VeriSign)

credentials, necessary for authentication are provided to user.

iv. IdSP validates the mobile client credentials (User credential and device

credential (mobile phone number, one time password and other attributes).

v. The mobile client is then authenticated and passed forward to banking system

to allow access to the system to conduct financial transaction

Categories covered:

User

Authentication server

Identity management

Telecom Engineering Centre

TSA Division |

16

Primary Authentication

Federated Identity Management

Single Sign on and off

b. User delegation to access of personal data in public cloud

i. Alice has subscribed to her own cloud storage provider and has created various

files there containing personal data, one of which is her résumé or curriculum vitae

(CV) file. Alice wishes to let B her friend read her CV file so she needs to delegate

read access to him. Bob is not a subscriber to this particular cloud provider, and

has no wish to register for yet another set of credentials for accessing yet another

service. However Bob does have an account with an Identity Provider that is part

of the same federation as the cloud provider, and is trusted by the cloud provider to

correctly authenticate Bob.

ii. Alice tells the cloud provider she wishes to delegate read access to a friend for

a certain period of time, and the cloud provider returns a secret URL to her,

which it has obtained from the delegation service.

iii.Alice gives this secret URL to her friend Bob. Bob clicks on the secret URL

which connects him to the delegation service, where he is asked to authenticate via

his existing IdP. Bob authenticates and the delegation service delegates him access

to the CV file (for as long as Alice has determined). Bob can now contact the

cloud provider at any time throughout this period. When he does, he is asked to

authenticate, which he does via his existing IDP, and he is then granted read access

to Alice CV. Once the delegation has expired he will no longer be granted access.

The secret URL can be one-time use or multiple-use. In the later case Alice can

give the secret URL to a group of people who will each be granted read access to

her CV.

9. Identity Management in INDIA

a. UIDAI: The UIDAI has been created with the mandate of providing unique

identification number to all residents of India and defining usages and

applicability of Aadhaar for delivery of various services. It also provides online

authentication using demographic and biometric data.

AADHAR Authentication offerings:

i. Type 1 Authentication: Through this offering, service delivery agencies can use

Aadhaar Authentication system for matching Aadhaar number and the

demographic attributes (name, address, date of birth, etc) of a resident.

ii. Type 2 Authentication: This offering allows service delivery agencies to

authenticate residents through One-Time-Password (OTP) delivered to resident's

Identity management

Telecom Engineering Centre

TSA Division |

17

mobile number and/or email address present in CIDR(Classless Inter Domain

Routing)

iii. Type 3 Authentication : Through this offering, service delivery agencies can

authenticate residents using one of the biometric modalities, either iris or

fingerprint

iv. Type 4 Authentication: This is two factor authentication offering with OTP as one

factor and fingerprint / iris (either iris or fingerprint) as second factor of

authentication.

v. Type 5 Authentication: This offering allows service delivery agencies to use OTP,

fingerprint & iris together for authenticating residents

Service delivery agencies should select the appropriate authentication type based on

their business requirements and service delivery risks.

c. E- Pramaan Project :

It has been developed by department of Electronics and Information Technology to

meet the increasing need of e- Authentication of users accessing online services

through web/mobile. It provides a simple, convenient and secure way for the users to

access government services via internet/mobile.

Major components include:

i. Identity Management (including credential registration)

ii. E-Authentication

iii. Single Sign on

iv. Aadhaar based credential verification

AUTHETICATION LEVELS:

Four levels of authentication are being used:

i. Level 0: No authentication for publicly available information

ii. Level 1: User name and password based service. This is meant for low

sensitivity service.

iii. Level 2: Two factor authentication (User ID, password and OTP).Meant for

PII for moderate level of security

iv. Level 3: User ID and password and Digital certificate (hard/soft).

Meant for high level of security services

v. Level 4: User ID and password plus biometric authentication. Meant for

highest level of security services

Identity management

Telecom Engineering Centre

TSA Division |

18

Central Government and State Government services will register with various service

delivery gateways and will call epraman services for authentication before actual

service will be invoked.

10. IDM related work in ITU

Identity Management work in ITU-T is concentrated in two Study Groups: SG 17,

which has been designated the Lead Study Group on Identity Management, and SG13,

where some IdM work related to NGN networks has been completed.

Identity management

Telecom Engineering Centre

TSA Division |

19

11. CONCLUSION & Recommendations:

In present scenarios of multiple identities and maze of passwords, end users and

operators are facing problems of identity theft and management of various identities.

Now people have to carry multiple cards , each with different set of information as

every identity proof carry multiple information like in the case of PAN card, Aadhaar

card ,Passport etc. Identity management allows operators to become a trusted

provider in the world in which boundaries between web and network are increasingly

blurred. It can provide efficient solution for management of multiple identities, for

e.g. using single sign on off capability, federation services, strong authentication

service etc. Hence there is need to create a managed solution of developing an entity

which can carry all information, accessible through single mode in a complete and

secure environment.

Since SIM based identity management solutions are being standardized, TSP

(Telecom Service provider) can play a important role in this regard.

Government can serve as convener, facilitator and catalyst to develop a standard set

of frameworks and operating rules at technical and policy level. DOT can also work

with Deity for developing an efficient solution for delivering identity based

government services on which authentication related activities can be dealt by DOT

through TSP’s for providing SIM based services and authentication mechanisms.

Third party model with Multi factor authentication can be used to develop a combine

set of solution for Identity Management in relation to Government of India. SIM

based mechanism can be a suggested solution for DOT and multi factor

authentication can also be integrated with SIM based authentication (login ID and

password, fingerprint etc.)

Considering above the recommendation is as below:

Since SIM based authentication requires less user involvement, policy needs to be

developed considering IdM which in turn will provide advantage to both TSP and end

users. This will enhance the relevance of the TSP’s in providing Application based

web services as in addition to being a simply a bandwidth provider, they will also

play a major role in user authentication.

Identity management

Telecom Engineering Centre

TSA Division |

20

Glossary

IDM- Identity Management

IDP-Identity Provider

IDSP-Identity Service Provider

SG-Study Group

VOIP-Voice over Internet Protocol

PII-Personal Identifiable Information

NGN-Next Generation Network

SP-Service Provider

CIDR-Classless Inter Domain Routing

Identity management

Telecom Engineering Centre

TSA Division |

21

REFERENCES

[1] ITU-T X.1252 “Baseline identity management terms and definitions “

[2] ITU-T Y.2720 “NGN Identity Management framework

[3] ITU-T Y.2722 “NGN Identity Management mechanisms

[4] ITU-T Y.2721 “Identity Management requirements and use cases

[5] ITU-T X.1250 Series “Supplement on overview of identity Management in the

context of Cyber Security”.

[6] Nokia Siemens networks cem identity management white paper final

[7] IDCloud-usecases-v1.0-cn01

[8] epramaan.gov.in/aboutep.jsp

[9] www.tml.tkk.fi/Publications/C/22/papers/Olkkonen_final.pdf

[10] JP2005-AusCERTJP2005-AusCERT