Research Directions in Identity Management

spotlessstareΑσφάλεια

29 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

63 εμφανίσεις


Research Directions in

Identity Management

Dr. Bhavani Thuraisingham

The University of Texas at Dallas


Collaborators and co
-
authors of the presentation:



Prof. Latifur Khan and Prof. Murat Kantarcioglu

Students: Parveen Pallabi and Abin Chandrasekaran

The University of Texas at Dallas


Prof. Elisa Bertino

Purdue University


February 2007


Outline


Identity Management


Technologies


Our Research on Identity Assurance

-
Policy Framework

-
Data Management Framework

-
Interoperability

-
Coalition Data Sharing


Our Research in Biometrics and RFID

Identity Management


Biometric systems, RFID chips and other advanced
identification systems have provided tools for organizations
to identify and track supply chain and personnel.


Biometric identification/authentication is finding new
applications such as e
-
passports.


Identification technologies creates unique challenges and
opportunities for businesses, governments and the society
with respect to security and privacy


Need better, more reliable biometric systems, fail
-
safe
mechanisms for credential assignments and common set of
best practices and standards.


Organizations using identification systems should devise
systematic ways to handle associated risks

Technologies: Biometrics


Biometrics are automated methods of recognizing a person based
on a physiological or behavioral characteristic

-
Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retina and Voice


Three
-
steps: Capture
-
Process
-
Verification


Capture: A raw biometric is captured by a sensing device such as
fingerprint scanner or video camera


Process: The distinguishing characteristics are extracted from the
raw biometrics sample and converted into a processed biometric
identifier record


Verification and Identification

-
Matching the enrolled biometric sample against a single record;
is the person really what he claims to be?

-
Matching a biometric sample against a database of identifiers

Technologies: RFID


RFID (Radio Frequency Identifier) tags are transponders that
can be used for identification purposes of various entities like
passports, product tracking, automotive parts identification
and transport payments like in highway toll tags


They are basically devices that can emit and receive radio
waves within a specified region and enable the position
identification of a target object.


Recent research in RFID includes

-
security and privacy

-
RFID data management and warehousing



Our Approach


In

an

RFID

or

biometric

system,

data

is

collected

from

different

applications

and

processed,

in

part,

in

the

front
-
end

system

and

in
-
part

at

the

back
-
end

system

(server)


The

back
-
end

access

can

occur

over

the

Internet
.

This

gives

rise

to

a

challenging

end
-
to
-
end

identity

management

problem
.



We

need

to

provide

identity

assurance

both

for

the

front
-
end

and

back
-
end

subsystem

as

well

as

the

network
.



We

envisage

a

system

that

we

call

an

Identity

Life

Cycle

Management

System

that

manages

information

about

the

credential

and

the

credential

issuers
.



We

are

focusing

on

Life

Cycle

Management

System

as

well

as

the

front
-
end

and

back
-
end

systems

of

an

RFID

and/or

biometrics

system
.


Policy Framework



Need appropriate policies that would allow administrators to
set up and tailor identity assurance processes.


We are devising the required policies and developing
languages to specify such policies.


We have identified two types of policies: Life Cycle
management policies and Access control policies.


Life cycle management policies govern the entire identity
management processes


Access control policies control the entities that access the
information collected for identity purposes. We will discuss
both policies.


Life Cycle Management Policies



Issuer Certification & Accreditation; What level of trust can be
placed in various issuers? What level of trust can be placed in
various identity credentials?


Identity Proofing & Registration: What procedures should
exist to vet and issue the credential? How

should

individuals
enroll?


Credential Creation & Issuance: Who should create electronic
ID credentials? What data elements should be contained on
credentials?


Credential Lifecycle Management: What if the device
containing the credential is lost or stolen? What mechanisms
can be used to validate the identification credential over time?

Access Control Policies


The subjects who are the users and processes that access the
identity data


The objects that are the data to be protected (e.g., biometric
data and RFID data).


Subject’s access to the objects is controlled by the access
control policies.


These policies include policies for confidentiality, privacy,
trust, data provenance and integrity.

Additional Elements of the Policies


Identification of the classes of policies relevant in the context
of identity assurance and development of the corresponding
policy languages. Two relevant classes include life cycle
management policies and access control policies.


Development of interoperability techniques for multi
-
domain
systems, including sharing of identity policies and
information.


Development of a notion of “identity management process”
that would encompass all the steps in assuring identity
information flow, from policy formation and deployment, data
gathering and analysis, forensics.


Identity Management for Front
-
end System


The

front
-
end

system

reads

the

data,

performs

some

processing

and

sends

it

to

the

backend
.



One

issue

to

be

considered

is

the

quality

of

data

collected

for

identity

assurance
.



While

techniques

to

support

the

desired

level

of

quality

of

data

and

transactions

in

real
-
time

applications

have

been

studied,

quality

of

data

for

identity

management

has

not

been

considered
.



Furthermore,

for

identity

management,

we

need

to

examine

data

provenance

as

well
.

For

example,

where

has

the

data

come

from?

What

is

the

history

of

the

data?

Since

the

identity

data

will

be

mostly

used

in

the

back
-
end

for

possibly

real
-
time

analysis,

it

is

important

to

determine

the

impact

of

the

quality

of

data

on

the

effectiveness

of

the

analysis
.


Identity Management for Back
-
end System: Risk
Management


A complete identity assurance solution must have a backend
system to store/process necessary information, to manage
risks associated with the underlying identification
technologies and to enforce organizational policies.


Analyze the requirements and best practices for flexible and
secure backend design that can be used with various
identification technologies for financial, healthcare and
defense sector applications.


Exploring risk management issues in identity assurance
systems due to the potential pitfalls of underlying
identification technologies.


How can the identification data stored in the backend system
can be used without violating user privacy?


Identity Management for Back
-
end System: Data
Management


RFID

data

share

some

common

characteristics

that

we

need

to

understand

and

subsequently

develop

an

efficient

RFID

data

management

system

for

the

backend
.



RFID

observations

convey

implicit

meaning

which

have

to

be

aggregated

and

mapped

into

a

high

level

semantics
.



RFID

observations

contain

duplicate

readings

and

/or

missing

readings

that

need

to

be

eliminated
.

Finally,

RFID

data

are

temporal,

streaming

and

in

high

volume

which

demand

efficient

query

processing

mechanism,

and

scalable

representation

of

data
.



Need

a

scalable

and

an

adaptable

data

management

system

for

RFID

data
.

Furthermore,

the

system

has

to

be

secure

so

that

unauthorized

individuals

do

not

get

access

to

the

data
.


Interoperability


While standards are emerging for addressing interoperability
issues for biometric systems, several features such as semantic
heterogeneity have received limited attention.


Many biometric systems operate under the assumption that the
data/images to be compared are obtained using the same
sensor/system.


These systems may not be able to match or compare biometric
data originating from different sensors.


Some progress has been made in the development of common
data exchange formats to facilitate the exchange of feature sets
between vendors.


Little effort has been invested in the actual development of
algorithms and techniques to match these feature sets.


We are exploring the use of ontologies for specifying and
reasoning about biometric data

Identity Management in a Coalition Environment

Export

Data/Policy

Component

Data/Policy for

Agency A

Data/Policy for Federation

Export

Data/Policy

Component

Data/Policy for

Agency C

Component

Data/Policy for

Agency B

Export

Data/Policy

Our Biometrics and RFID Research


Biometrics:

-
Novel Algorithms for Face Detection and Fingerprint matching
(IEEE ICTAI 2006 and ARES 2007)


RFID

-
Privacy and security for the deployment of RFID.

-
Secure management of RFID data management

-
XML
-
based Traceability of RFID data

-
Technical reports


submitted for publication


Privacy Preserving Surveillance


Working with Dallas NAFTA Association

Privacy Preserving Surveillance

Raw video surveillance data

Face Detection
and Face
Derecognizing
system

Suspicious Event
Detection System

Manual Inspection
of video data

Comprehensive
security report
listing suspicious
events and people
detected

Suspicious people
found

Suspicious events
found

Report of security personnel

Faces of trusted
people derecognized
to preserve privacy