Identity-based Service Interaction

nervousripSecurity

Nov 5, 2013 (3 years and 5 months ago)

45 views

Identity
-
based Service Interaction

Mohammad M. R. Chowdhury

Ph.D. candidate

UniK
-
University Graduate Center / University of Oslo


SWACOM meeting, Stavanger, June 8, 2007

SWACOM: WP2

About Me?


Education:


Ph.D candidate, UniK/Oslo University, July 06
-

present


MSc., Telecommunication Eng. Helsinki University of
Technology, 2004


BSc., EEE, Bangladesh University of Eng. & Tech., 2002


Work Experience:


Ph.D. candidate, UniK, (July 06
-

present)


Deputy Superintendent Eng., Radio Planning
GrameenPhone/Telenor, Bangladesh


Leturer, AIUB, Bangladesh


RA & TA, University of Vaasa, Finland

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Contents


Identity: Real world to digital world


Related works


Role
-
based identity


Integrated identity mechanism for service access


Controling corporate and social identities in communities


Semantic Identity (SemID)


Conclusion


Future works

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007


In
philosophy
,
identity
1

is whatever makes an entity definable and
recognizable, in terms of possessing a set of qualities or
characteristics.


Identity
1

is an umbrella term used throughout the
social sciences

for
an individual's comprehension of him or herself as a discrete,
separate entity.


Digital identity
1

also has another common usage as the
digital

representation of a set of claims made by one
digital subject

about
itself or another digital subject.


An
online identity
1

is a
social identity

that network users establish in
online communities
.

As more more services are accessible in digital world, digital identities and
their management will play a vital role in secure service access and
privacy …..

Source:
1

Wikipedia

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Identity: Real world to digital world

Real world Identities

Digital world identities

Identity

Digital world

Passwords
everywhere


Gartner says (annual IT security summit 2005) 80% of organizations will reach a
password breaking point by 2007.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Our objectives


How to represent user’s identity (
role
-
based identity
) and where to
store user’s identity
(SIM card + secure identity space in the
network)


Integrated identity mechanism to interact with both remote and
proximity services


Community
-
aware identity management in corporate and social
environment (
through semantic web technology
)

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Related works


”The Laws of Identity”


By Kim Cameron

”…….
laws define a unifying identity metasystem that can offer
the Internet, the identity
layer

it needs



Windows Cardspace



”……..uses variety of virtual cards, each retrieving security token from Identity providers
(that issued cards) for authentication and identification to services.”



SXIP



”…….User stores identity data to Homesite (issued by SXIP). Website (SXIP
membersite) consumes identity data by sending SXIP requests for user data from
Homesite. Homesite authenticate and identity users.”



Liberty Alliance Project



”…….
to establish open standards, guidelines and best practices for federated identity
management. It allows consumers and users of Internet
-
based services and e
-
commerce applications to authenticate and sign
-
on to a network or domain once from
any device and then visit or take part in services from multiple Web sites.




Smart card vendors


Gemalto, NXP

”…….. Developed high capacity SIM card for Identity provision, storing certificates, rights
etc.”

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007


SXIP, Cardspace provide identity movement over the Internet only



Cardspace requires user’s PC/terminal always (to use installed
cards)



No integrated approach for remote and proximity service access



What are the alternatives for numerous physical identities (cards) user
currently carrying?



No notion of community
-
aware identity management and privacy
assurance

Related works (cont.)

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007




We propose ’Role
-
based Identity’

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Human roles


Personal role
Corporate
roles
Social roles
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Role
-
based Identity


My digital identity


My personal identities (PID): Identify ourselves in our very
personal interactions, e.g. access financial services


My corporate identities (CID): Identify ourselves in our
corporate/professional interactions, e.g. access work premises,
office LAN/VPN


My social identities (SID): Identify ourselves in our society/
community/ interpersonal interactions, e.g. access to address
books, calendar, my community, friends, interests, preferences

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Security infrastructure

Identity

Example

Realisation

Location

Sequiry Req.

PID


Bank

Home admittance

certificate + key

home entry key

SIM

SIM

High

High

CID

Office admittance

Temp. visit admittance

Temp. entry key

Network

Medium

SID

Preferences

Attributes

Community relations

foaf

foaf

OWL

Network

Network

Network

Low

Medium

Medium

ESIM (Extended SIM card):


SIM card might have two modules


-

Module 1: low sec. + medium sec.


-

Module 2: high sec.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007






Security
Requirements


Have
to
know

Need to
know

Nice to

know

Bank transactions

Messenger, email,

Intranet

Network access

Services

Realisation
:



Nice to know: SIM card



Need to Know: SIM + PIN/Password



Have to know: SIM + PIN + PKI, OTP


Nice to know
:

Access to network + Access to network identity space +
Access SIDs


Need to know
:

Access CIDs


Have to know
:

Access PIDs

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Integrated Identity Mechanism for Service
Access

Fig. Generic architecture of integrated identity mechanism.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Technology out there to control and manage user’s
personal identities to interact services

Example:


e
-
identification through SIM card (activating BankID in SIM card
through SIM+PKI)


BankID in Norway, Sweden


Then what about controling corporate and social
identities (preferences, attributes etc.) in
community/group environment to access service
or resources?




Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Motivation

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Expectation


Mushfiq, Josef members of
Communication group

of
UniK
, can access each
other’s conf. papers but cant access the pictures, only
family members

can
see these
----

Access resources based on relationships (corporate identity),

partition data, add privacy


Mushfiq knows
Manav
. So, Manav can see which group Mushfiq belongs to.
But cant see the other members of the group (As Manav is not a member of
Communication group).
-----

add privacy



Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007


Can Maria see the photos taken by Frank? Because Maria is mother
of Paul, Frank is father of Anna and Paul, Anna both are members if
class 2 of Sogn school.
---

Access resources based on relationships
(corporate identity)








We propose Semantic Web Technology to take care of
these expectations.

Expectation

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Why Semantic Web?


Current Web


only to present knowledge/web content to humans


Semantic Web (SW)


Next generation of contemporary web in
which content of web is expressed in a form that can be understood,
interpreted and used by computers, software agents to find, share
and information more easily.




The semantic web comprises the standards and tools of XML, XML
Schema, RDF, RDF Schema and OWL.



We propose
SemID (Semantic Identity)

where
OWL, Web Ontology
Language is used to formalize and define the proposed identity
management domain.


OWL is chosen because it facilitates greater machine interpretability
of Web content than that supported by XML, RDF, and RDF Schema
(RDF
-
S) by providing additional vocabulary along with a formal
semantics.


Ontology with foaf is public so cannot support privacy requirements.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

SemID


Is proposed to provide role
-
based access control and privacy
assurance service in project oriented corporate working environment.


Access control and privacy goals are achieved through the formal
definitions of policies and rules using OWL DL (a sub
-
language of
OWL).

USE CASE:


Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Screen shots of SemID ontology


We model the ontology of the use USE CASE scenario using
protégé
-
OWL ontology editor platform.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007


Identity has Group (
hasGroup
).


Identity has Visibility (
hasVisibility
).


Identity has Role (
hasRole
).


Role has Policy (
hasPolicy
).


Role has visibility of Group
(
hasVisibilityOfGroup
).


Policy has Rule (
hasRule
).


Rule has Subject (
hasSubject
).


Rule has Resource (
hasResource
).


Rule has Action (
hasAction
).

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007


A Policy (P) represents the privilege reserved for each


role in a community and expressed through a set of Rules


(R1, R2 , … Rn). Therefore Policy P = {R1, R2, ….Rn}


Essentially a Rule (R) is a function that takes an access


request as input and results an action (permit, deny or not applicable).


The Rule is composed of the Subject (S), Resource


(R) and Action (A)


In this ontology Subject refers to the Identity (CID), Resource refers to
project resource (Deliverables, documents etc.). This is how Rule
takes care of access control service


hasVisibility
and
hasVisibilityOfGroup

property take care of privacy
assurance



For further details log into
www.semid.org




Now a software (enterprise content management) can be developed
based on the proposed ontology.


Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

SreenShots of the Software

SreenShots of the Software

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Conclusion


Role
-
based identity is proposed.



Distributed in nature (SIM + Network)


PIDs in SIM, CIDs in SIM+Network, SIDs in Network.


Identity
-
based service access is proposed using mobile
infrastructure to meet low to high security requirements.



Mobile phone as identity handler.


Semantic Web can take care of the control of CIDs and SIDs in
community environment.


SemID is proposed in project oriented corporate environment to deal
with access control and privacy requirements.

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Future works


Extend the current SemID further to add some more roles (like
supervisors etc etc.)


Concepts similar to SemID can be extended to currently open social
community domain to add privacy (LinkedIn and Facebook are open to
all registered users!!)


To invoke identity management ontologies from mobile environment to
access services






Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007





Thank You

?


comments

or suggestions

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007