identity management - tectec.gov.in/pdf/studypaper/identity management approved.pdf · what it...
TRANSCRIPT
Identity management
Telecom Engineering Centre
TSA Division |
2
INDEX
1. Introduction…………………………………………………….3
2. Terminologies………………………………………………….3
3. Overview of Identity Management…………………………....4
4. Identity Management Models…………………………..……...6
5. Identity management framework……………………………….8
6. Authentication Methods………………………………………12
7. Identity Management services………………………………...14
8. Use Cases……………………………………………………...15
9. IDM in India…………………………………………………..16
10. IDM in ITU……………………………………………………18
11. Conclusion……………………………………………………19
12. Glossary………………………………………………………20
13. References…………………………………………………….21
Identity management
Telecom Engineering Centre
TSA Division |
3
1. INTRODUCTION
The rapid growth in the number of online services has lead to in an increasing number
of different identities that each user needs to manage. As a result, many people feel
overloaded with identities and suffer from password fatigue. This is a serious problem
and makes people unable to control and protect their digital identities against identity
theft. As organization grows and add services such as ecommerce and global remote
access of services, controlling who is accessing what kind of information is also
becoming a more difficult task .Hence to manage and secure Identities including
maintenance of access based services, identity management can provide the solution.
1.1 DEFINITION
Set of functions and capabilities (e.g., administration, management and maintenance,
discovery, communication exchanges, correlation and binding, policy enforcement,
authentication and assertions) used for:
Assurance of the identity of an entity (e.g., users/subscribers, groups, user
devices, Organizations, network and service providers, network elements and
objects, and virtual Objects), and enabling business and security applications.
Assurance of identity information (e.g., identifiers, credentials, attributes)
Thus Identity management has mainly two parts:
i. Issuing users with credentials and unique identifiers during initial registration
phase.
ii. Authenticating users and controlling their access to services and resources
based on their identifiers & credentials during service operation.
2. Basic Terminologies
a. Entity: A separate and distinct existence of object within a context. For example
subscribers, users, network elements, networks, software and elements, services,
devices and interfaces etc.
b.Attributes: Information bound to an entity which specifies features and
characteristic of an entity such as condition, quality or any information associated
with the entity.
c.Identifier: One or more attributes used to identify an entity within a context.
Identity management
Telecom Engineering Centre
TSA Division |
4
d.Identity: The representation of entity in form of information elements, which allow
entities to be sufficiently distinguished within a particular context.
e.Credential: An identifiable object that can be used to authenticate the claimant is
what it claim to be and to authorize the claimants’ access rights.
d.Identity Service Provider: An entity that verifies, maintains, manages and may
create and assign identity information of other entities. It is also responsible for
assigning the attributes to entity.
Correspondence between entities, identities and identifiers
The figure above illustrates that an entity, such as a person or an organization, may
have multiple identities and each identity may consist of multiple characteristics that
can be unique or non-unique identifiers.
3. OVERVIEW OF IDENTITY MANAGEMENT
Identity management
Telecom Engineering Centre
TSA Division |
5
Above figure shows the following:
a. Entities: In a NGN environment where services are based on contexts and roles and accessed
anywhere, anytime, and from any device, multiple forms of identity-related
information may be associated with an entity. In addition, an entity may have one or
more identities based on context. Example entities include:
User and subscribers.
User devices, network elements and objects.
Organizations, groups, business enterprises and government enterprises
Network and service providers.
Virtual objects
b. Identity information: The identity information associated with an entity can be grouped as follows:
• Identifiers (e.g., subscription account, network element addresses, service provider
Identifier).
• Attributes (e.g., email addresses, telephone numbers, URI, IP addresses, roles,
claims, Privileges, authentication method, patterns and location).
• Credentials (e.g., digital certificates and tokens).
c. IdM functions and capabilities:
IdM functions and capabilities are used to increase confidence in identity information
of an entity and support or enhance business and security applications including
identity-based services.
Example IdM functions and capabilities are:
• Identity lifecycle management.
• Identity information organization, correlation and binding.
• Authentication, authentication assurance and assertion.
• Discovery and exchange of identity information.
• Functions and capabilities to bridge different IdM systems to facilitate
interoperability.
d. Business and security applications:
IdM functions and capabilities support and may help to enhance business and security
applications using identity based services.
Identity management
Telecom Engineering Centre
TSA Division |
6
4. Identity Management models:
a. Basic query/response information exchange process
This is basic form of model based upon basic-query and response process based on
some agreed upon protocol and information. This is common identity management
model on which let service provider’s act as both credential provider and identifier
provider to their clients. They control the name space for a specific service domain,
and allocate identifiers to users. A user gets separate unique identifiers from each
service/identifier provider he transacts with. In addition, each user will have separate
credentials, such as passwords associated with each of their identifiers. This model
can also be called isolated user identity management.
b. Three party identity management model
Most of systems involve complex models, where the relying party who receives the
claim is not the identity service provider. The function of identity service provider is
separated from relying party and relying party after having certain level of
authentication assurance, evaluates the response from the identity service provider.
The most common example of this model is online Banking Transaction system
which is later elaborated in this paper.
Identity management
Telecom Engineering Centre
TSA Division |
7
c. Federated User Identity Model:
Identity federation can be defined as the set of agreements, standards and
technologies that enable a group of service providers to recognize user identifiers and
entitlements from other service providers within a federated domain. In a federated
identity domain, agreements are established between SPs (Identity provider) so that
identities from different SP specific identity domains are recognized across all
domains. These agreements include policy and technology standards. A mapping is
established between different identifiers owned by the same client in different
domains that links the associated identities. This results in a single virtual identity
domain, as illustrated in above figure. When a user is authenticated to a single service
provider using one of their identifiers, they are considered to have been identified and
authenticated with all the other service providers as well. This happens by passing
assertions between service providers. Thus user once registered to one SP can access
the service of other SP’s within same federated domain.
The most familiar example of federated identity is ATM machines. We take for
granted that we can go to almost any ATM machine, both at home and abroad, and
use an ATM card to obtain money. Most banks will honor ATM cards issued by other
banks because of trust relationships that exist between the banks and standardized
protocols for performing the ATM transactions.
d. User-centric identity management model
"User-centric" models (i.e., that require full requesting party control be enabled over
use of their identities) are receiving significant attention and may also be mandated in
national and regional jurisdictions. All queries/responses are directed through the
requesting party. User-centric identity management approaches have received
significant attention for managing private and critical identity attributes. User-centric
Identity management
Telecom Engineering Centre
TSA Division |
8
identity management allows users to control their own digital identities. Users are
allowed to select their credentials when responding to authenticator or attribute
requester; this gives users more rights and responsibility over their identity
information. However, current user centric approaches mainly focus on interoperable
architectures between existing identity management systems without considering
privacy issues in depth. By allowing a user to control their own digital identities, the
user can decide which identity attributes are needed to share with other trusted parties
and under what circumstance. As the users have more rights and responsibilities over
their identity information, it provides better protection of the user’s private
information.
5. IdM Framework
The framework consists of the following IdM functions and capabilities:
a. Identity lifecycle management:
Identity lifecycle management involves the processes and procedures associated with
the enrolment and issuance of identity data and information associated with an
identity of an entity.
b. Identity management (IdM) operation, administration, maintenance and provisioning (OAM&P) functions:
This includes operation, administration, maintenance and provisioning (OAM&P)
Management functions and capabilities specifically related to the support of IdM. OAM&P
is a group of management functions that provide system or network fault indication,
Identity management
Telecom Engineering Centre
TSA Division |
9
performance monitoring, security management, diagnostic functions, configuration
and user provisioning).
c. Identity management (IdM) signaling and control functions:
This includes signaling and control functions and capabilities used for the support of
IdM services, capabilities and functions. This includes signaling and control for both
real-time and near-real time communications.
d. Identity management (IdM) federated identity functions:
This includes functions and capabilities for identity federation and support of
federated Services.
e. Identity management (IdM) user and subscriber functions:
This includes functions and processes related to control by end users and subscribers
of their identity related information (e.g., PII, personal preferences and location). This
includes functions to control, delegate and authorize the use and dissemination of
Identity-related information.
f. Identity management (IdM) performance, reliability, and scalability:
This includes functions and procedures addressing performance, reliability and
scalability of IdM systems and solutions.
g. Identity management (IdM) security:
This includes functions and procedures addressing the security protection of IdM
systems, services and capabilities.
5.1 Identity Lifecycle Management
a. Proofing and Enrolment
This is the first step in creating identity for an entity (e.g., subscriber, device,
organization, identity provider or object).This is the process where applicant applies
to become subscriber of an Identity Provider.
Proofing includes verifying attributes and claims associated with an identity. It
involves processes and procedures to verify and validate information when enrolling
an entity into an identity system
Identity management
Telecom Engineering Centre
TSA Division |
10
b.Issuance and Revocation
Successful completion of the enrolment process results in the granting of a means
(e.g., a credential) by which the entity can be authenticated in the future. For
example, the issuance of a credential(s) by an IdP binds it to the identity or related
attribute (e.g., privilege or claim) of the identity associated with an entity.
Identity revocation is the process of rescinding an identity and the associated
credentials. The party or system (e.g., IdP provider) that issues an identity or
credential is responsible for the maintenance and protection of the information
associated with the identity. Revocation is required to prevent the continued use of an
identity or credential that is no longer valid or has a security breach.
5.2 Identity management OAM&P functions
a. Data model and schema
Each NGN provider, federation or enterprise may have its own formats, schemas,
definitions or semantics to represent and share identity-related data and information.
Data model should be such that to facilitate interoperability between heterogeneous
IdM systems (e.g., identity data sources) within an Identity provider domain (i.e.,
different supplier products), between different Identity providers (inter-network),
between different federations (e.g., Identity provider and web-services providers).
b. Identifier Management
An identifier is any designation that is used to represent the identity of an entity, such
as a user ID, a network ID, an e-mail address, a pseudonym, a group name, etc. The
overall effectiveness of IdM depends on the assurance of the individual identifiers
that may be correlated and bound to assure the identity of an entity.
c. Attribute Management
Identity attributes are descriptors of an entity, such as entity type, preferred IP
address, domain, address information, telephone number. Attributes may also contain
claims, rights, privileges, delegate lists, and special restrictions
The effectiveness of IdM would depend on the assurance of attributes that may be
correlated and bound to assure the identity of an entity. This includes storing and
provisioning of attributes. Therefore, well-defined requirements and procedures for
the management of attributes are necessary to be put in place.
Identity management
Telecom Engineering Centre
TSA Division |
11
d. Credential Management
Credentials are used to authenticate the claimed identity. Credential includes Token,
UserID, passwords, digital certificates, Security Matrix, biometric. Entity credential
management encompasses the operational activities to create, issue, and manage
information used to authenticate identity claims.
e. Logging and Auditing
Logging and auditing functions and capabilities are important to the effectiveness of
IdM solutions. Example auditing and compliance measures include maintaining
security logs to satisfy accountability requirements, protecting and appropriately
using personal information, and providing notification to the appropriate systems or
entities (e.g., identity owners)
5.3 Identity management signaling and control functions
Signaling and control functions are used to discover and communicate trusted identity
information (e.g., identifiers, attributes, claims) associated with an entity (e.g.,
user/subscriber, group, organization, network element, service provider) to support
IdM services, functions and capabilities.
a. Discovery of Identity Information
In an evolving and dynamic environment, identity information and their sources are
also dynamic .Hence relying parties and entities would need structured means to
discover the identity information which also includes IdM function services and
capabilities.
Discovery also involves capabilities to include multiple IdP in NGN framework as
there can be multiple IdPs. In situations where there is only one IdP (e.g. enterprise),
there is no need for a discovery operation.
b. IDM Communications
This includes capabilities and functions to discover and exchange identity
information (e.g., identifiers, credentials and attributes) associated with an entity's
identity that is located in different network systems (e.g., in a subscription server,
location server, presence server, etc.) within an Identity provider network that could
be correlated and verified (i.e., by an IdM application server providing authentication
and correlation functions) in order to provide identity assurance capabilities.
Identity management
Telecom Engineering Centre
TSA Division |
12
c. Correlation and binding
The identity information (e.g., identifiers, credential and attributes) may be correlated
to establish a binding to assure the identity of an entity. For example, the identity
information associated with a subscriber (e.g., UserID), a subscriber device (e.g.,
DeviceID), and location information may be correlated to establish a binding to
provide a higher assurance of the subscriber.
d. Authentication
Authentication is the process of establishing confidence in the binding between an
identity and the entity. One means for achieving authentication assurance is to
describe the objectives and guidelines necessary to quantify the risks that an entity is
who or what it claims to be. This includes establishing which entity identifiers are
more important than others in the identification process and why certain identifiers
used in authentication should not have the same authentication value.
e. User/subscriber functions and protection of PII
End users/subscribers need to be provided with applicable institutive interfaces and
capabilities to control their PII and make informed decisions and consent regarding
their personal data. End users/subscribers should be able to express their privacy
policies and preferences and negotiate the terms of data disclosure with the Identity
Service provider.
6. AUTHENTICATION METHODS
6.1 Authentication can basically be understood by following categories:
a. Something User is: biometrics (finger print or finger vein)
b. Something User have: token , smart card
c. Something User knows :Password , PIN
6.2 Three types of combined authentication methods are considered:
a. Multifactor authentication: An authentication that uses multiple credentials from
two or more of the three categories of authentication factors. For e.g.
i. Authentication using one time password authentication that uses a hardware
device and Security token.
ii. Authentication by combination of PIN and Finger vein.
iii. Combination of biometric and one time password authentication
b. Multi-method authentication: An authentication that uses multiple credentials
from same category of authentication methods. For e.g
i. Combination of one time password and passphrase authentication
ii.Combination of fingerprint and finger vein authentication
Identity management
Telecom Engineering Centre
TSA Division |
13
c. Multiple authentication: An authentication that uses same credentials multiple
times from the same authentication category of authentication methods.
i.Double password authentication
ii.Fingerprint authentication using multiple fingers
6.3 SIM Based Authentication:
It is type of authentication from the authentication category of “Something Users
have”.
SIM with GBA (Generic Bootstrapping Authentication) and GAA (Generic
Authentication Architecture) on network side can provide robust & convenient
authentication mechanism for access of services and application from mobile
devices. The users’ equipments authenticate themselves to the operator’s GAA
service by existing 3G or 2G authentication protocols, and in the process receive
new keys which in turn allow access to application. Its main advantage is its ability
to use existing 3G authentication mechanism.
Figure below illustrates the basic mechanism of SIM based authentication. Here UE
refers to User Equipment which is user mobile handset. The user logs on to access
any application services and application server in turns authenticate directly using
SIM through its authentication server. After completion of authentication a Unique
ID is granted to SIM which in turn allows user to access the application.
UID-Unique Identifier
Identity management
Telecom Engineering Centre
TSA Division |
14
7. Identity Management Services
IDM enables in development of various applications such as:
a. Federated services (e.g., access to services across different service providers or
Identity Providers) Federated Identity Management extends the idea of Identity
Management across company boundaries. It decouples identity authentication from
providing services. For example, when you drive a car in another state, the state
you're driving in accepts that your home state has verified your identity and your
ability to drive. When you use a credit card, the merchant accepting the card trusts
that another company has verified your creditworthiness. A financial institution
might want to provide seamless access for their high-value clients to financial
market information provided by a third-party research firm.
b. Business applications
Single sign-on and sign-off (e.g., access to multiple applications and services
without having to individually authenticate each application or service platform).For
e.g. A government agency wanted its citizens to have a single login to all of the
Government services on the Internet and to be able to access services across the
various Departments seamlessly. This single login improves a convenient
experience for users, motivates them to use online transactions, and reduces the
operational costs to transact within department branches.
c. Identity-based services
i. Identifier, credential and attribute services
ii. bridging services (mapping and interworking of identity information in a
heterogeneous Environment)
iii. Pattern information services
d. Security applications
i. Access control for network and application services (e.g., VoIP, IPTV and
data)
ii. Role-based access control to information, resources and assets
iii. Authorization and privilege management
iv. Security protection services (e.g., security features to protect network
infrastructure resources and users/subscribers identity information and
assets)
v. Protection of personally identifiable information (PII)
Identity management
Telecom Engineering Centre
TSA Division |
15
8. USE CASES
a. Mobile Banking Customers Identity Authentication:
Mobile banking has emerged as a significant financial services channel. Mobile
banking and other financial services enable customers to pay bills on the fly, check
and transfer balances and even trade stocks. The proliferation of new payments
products - such as mobile applications, especially at the front end of the transactions,
where initial access is gained - generates ongoing concern around data security,
identify theft, fraud and other risk-related issues among consumers, businesses,
regulators and payments professionals.
Mobile Banking customer Identity authentication
Process Flow:
i. Mobile User logs on banking site via mobile device browser.
ii. Based on pre arrangement, user is directed to authentication site as per
financial institution agreement from identity service provider.
iii. As per mechanism of IdSP (Identity Service provider), (e.g. VeriSign)
credentials, necessary for authentication are provided to user.
iv. IdSP validates the mobile client credentials (User credential and device
credential (mobile phone number, one time password and other attributes).
v. The mobile client is then authenticated and passed forward to banking system
to allow access to the system to conduct financial transaction
Categories covered:
User
Authentication server
Identity management
Telecom Engineering Centre
TSA Division |
16
Primary Authentication
Federated Identity Management
Single Sign on and off
b. User delegation to access of personal data in public cloud
i. Alice has subscribed to her own cloud storage provider and has created various
files there containing personal data, one of which is her résumé or curriculum vitae
(CV) file. Alice wishes to let B her friend read her CV file so she needs to delegate
read access to him. Bob is not a subscriber to this particular cloud provider, and
has no wish to register for yet another set of credentials for accessing yet another
service. However Bob does have an account with an Identity Provider that is part
of the same federation as the cloud provider, and is trusted by the cloud provider to
correctly authenticate Bob.
ii. Alice tells the cloud provider she wishes to delegate read access to a friend for
a certain period of time, and the cloud provider returns a secret URL to her,
which it has obtained from the delegation service.
iii.Alice gives this secret URL to her friend Bob. Bob clicks on the secret URL
which connects him to the delegation service, where he is asked to authenticate via
his existing IdP. Bob authenticates and the delegation service delegates him access
to the CV file (for as long as Alice has determined). Bob can now contact the
cloud provider at any time throughout this period. When he does, he is asked to
authenticate, which he does via his existing IDP, and he is then granted read access
to Alice CV. Once the delegation has expired he will no longer be granted access.
The secret URL can be one-time use or multiple-use. In the later case Alice can
give the secret URL to a group of people who will each be granted read access to
her CV.
9. Identity Management in INDIA
a. UIDAI: The UIDAI has been created with the mandate of providing unique
identification number to all residents of India and defining usages and
applicability of Aadhaar for delivery of various services. It also provides online
authentication using demographic and biometric data.
AADHAR Authentication offerings:
i. Type 1 Authentication: Through this offering, service delivery agencies can use
Aadhaar Authentication system for matching Aadhaar number and the
demographic attributes (name, address, date of birth, etc) of a resident.
ii. Type 2 Authentication: This offering allows service delivery agencies to
authenticate residents through One-Time-Password (OTP) delivered to resident's
Identity management
Telecom Engineering Centre
TSA Division |
17
mobile number and/or email address present in CIDR(Classless Inter Domain
Routing)
iii. Type 3 Authentication : Through this offering, service delivery agencies can
authenticate residents using one of the biometric modalities, either iris or
fingerprint
iv. Type 4 Authentication: This is two factor authentication offering with OTP as one
factor and fingerprint / iris (either iris or fingerprint) as second factor of
authentication.
v. Type 5 Authentication: This offering allows service delivery agencies to use OTP,
fingerprint & iris together for authenticating residents
Service delivery agencies should select the appropriate authentication type based on
their business requirements and service delivery risks.
c. E- Pramaan Project :
It has been developed by department of Electronics and Information Technology to
meet the increasing need of e- Authentication of users accessing online services
through web/mobile. It provides a simple, convenient and secure way for the users to
access government services via internet/mobile.
Major components include:
i. Identity Management (including credential registration)
ii. E-Authentication
iii. Single Sign on
iv. Aadhaar based credential verification
AUTHETICATION LEVELS:
Four levels of authentication are being used:
i. Level 0: No authentication for publicly available information
ii. Level 1: User name and password based service. This is meant for low
sensitivity service.
iii. Level 2: Two factor authentication (User ID, password and OTP).Meant for
PII for moderate level of security
iv. Level 3: User ID and password and Digital certificate (hard/soft).
Meant for high level of security services
v. Level 4: User ID and password plus biometric authentication. Meant for
highest level of security services
Identity management
Telecom Engineering Centre
TSA Division |
18
Central Government and State Government services will register with various service
delivery gateways and will call epraman services for authentication before actual
service will be invoked.
10. IDM related work in ITU
Identity Management work in ITU-T is concentrated in two Study Groups: SG 17,
which has been designated the Lead Study Group on Identity Management, and SG13,
where some IdM work related to NGN networks has been completed.
Identity management
Telecom Engineering Centre
TSA Division |
19
11. CONCLUSION & Recommendations:
In present scenarios of multiple identities and maze of passwords, end users and
operators are facing problems of identity theft and management of various identities.
Now people have to carry multiple cards , each with different set of information as
every identity proof carry multiple information like in the case of PAN card, Aadhaar
card ,Passport etc. Identity management allows operators to become a trusted
provider in the world in which boundaries between web and network are increasingly
blurred. It can provide efficient solution for management of multiple identities, for
e.g. using single sign on off capability, federation services, strong authentication
service etc. Hence there is need to create a managed solution of developing an entity
which can carry all information, accessible through single mode in a complete and
secure environment.
Since SIM based identity management solutions are being standardized, TSP
(Telecom Service provider) can play a important role in this regard.
Government can serve as convener, facilitator and catalyst to develop a standard set
of frameworks and operating rules at technical and policy level. DOT can also work
with Deity for developing an efficient solution for delivering identity based
government services on which authentication related activities can be dealt by DOT
through TSP’s for providing SIM based services and authentication mechanisms.
Third party model with Multi factor authentication can be used to develop a combine
set of solution for Identity Management in relation to Government of India. SIM
based mechanism can be a suggested solution for DOT and multi factor
authentication can also be integrated with SIM based authentication (login ID and
password, fingerprint etc.)
Considering above the recommendation is as below:
Since SIM based authentication requires less user involvement, policy needs to be
developed considering IdM which in turn will provide advantage to both TSP and end
users. This will enhance the relevance of the TSP’s in providing Application based
web services as in addition to being a simply a bandwidth provider, they will also
play a major role in user authentication.
Identity management
Telecom Engineering Centre
TSA Division |
20
Glossary
IDM- Identity Management
IDP-Identity Provider
IDSP-Identity Service Provider
SG-Study Group
VOIP-Voice over Internet Protocol
PII-Personal Identifiable Information
NGN-Next Generation Network
SP-Service Provider
CIDR-Classless Inter Domain Routing
Identity management
Telecom Engineering Centre
TSA Division |
21
REFERENCES
[1] ITU-T X.1252 “Baseline identity management terms and definitions “
[2] ITU-T Y.2720 “NGN Identity Management framework
[3] ITU-T Y.2722 “NGN Identity Management mechanisms
[4] ITU-T Y.2721 “Identity Management requirements and use cases
[5] ITU-T X.1250 Series “Supplement on overview of identity Management in the
context of Cyber Security”.
[6] Nokia Siemens networks cem identity management white paper final
[7] IDCloud-usecases-v1.0-cn01
[8] epramaan.gov.in/aboutep.jsp
[9] www.tml.tkk.fi/Publications/C/22/papers/Olkkonen_final.pdf
[10] JP2005-AusCERTJP2005-AusCERT