Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | molly-hawkins |
View: | 212 times |
Download: | 0 times |
Networked Identity
Clark Thomborson
16 March 2012
for NIST1
2
This seminar
“Point identity” vs. social (networked) identity Applications
Cookies as identifiers Typology of identity federations (corporate ID provision) New Zealand’s Identity Verification Service:
pseudonyms with liveness and uniqueness properties Eliciting and representing privacy requirements
The Jericho Forum’s Identity Commandments Personas, roles Core identities, root identities
What is an “identity”?
Uniqueness An identity is knowledge about an entity and a
population, sufficient to distinguish the entity from all other entities in the population.
A “k-identifiable entity” is in an equivalence class of size k.
Learning about the population may reduce k. Persistence
If an entity is identifiable, it will (probably) be identifiable in the future.
Changes to populations, entities, and knowledge affect identifiability.
Often “defined away”, by assuming a static population and context.
3
(precision)
(accuracy: repeatability)
Is an IP address an identifier?
Yes, if we Assume a static world (or require only weak
persistence), or Have additional information to distinguish the
current users of this address (or require only k-identifiability)
No, if we Require strong persistence, 1-identifiability, or Have insufficient additional information to
identify an individual with the (contextually) required level of persistence and precision.
Networked Identity 4
Duns Scotus, 13th C.
Haecceity (“thisness”) Information distinguishing an individual from
any number of other individuals (in a given population)
Quiddity (“whatness”, or natura communis) Information distinguishing a population from
any number of other populations (in a given universe)
Networked Identity 5
Current Practice: Point Id
We distinguish identification (a claim to an identity), from authentication (proof, or support, for a claimed
identity). Three types of identifiers and authenticators:
1. “What you know” (e.g. login/password)
2. “What you have” (e.g. smartcard)
3. “Who you are” (e.g. fingerprint) Can we learn from Scotus? (We’re focussing
on the individual, with no explicit reference to the population…) Networked Identity 6
A graph-theoretic view…
If we model… People (and things) as nodes Their relations as edges Visible attributes as node-labels Types of relations as edge-labels
Then … “What you are” is your node-label. “What you have” is your possession-relation to
your identifiable object. “What you know” is a label describing a message,
sent on your communication-relation path to an identity querent. Networked Identity 7
Reduction to Graph Isomorphism Identification is a problem of subgraph
isomorphism. Given a labeled graph P (the population) and a
labeled graph Q (the query), how many “matches” are there for Q in P?
Q can have wildcards (partial matches) In “Who you are” identification,
Q is a single node. In “What you have” identification,
Q is two nodes in a possessor-possessed relation.
Networked Identity 8
Other types of identification In “What you know” identification,
Q is a communication-relation path, from the identified node to the querent.
There are some feasibility constraints. In a “what you know” identification, there must be a
bidirectional communication-relation path between the querent and the identified node (challenge / response).
In a “who you are” identification, the identified node must be in an observed-relation to a node that is on a communication-path to the querent.
In a “what you have” identification, an observation of the identifiable object, and of its “possession relation” (a.k.a. tethering) to the identified node, must be communicated to the querent.
Networked Identity 9
Networked Identity More complex Q: “What is your network?”
Your (partial) 1-neighbourhood is an extension of “what you have” -- to include the people you can communicate with, observe, or control. (Chinese: guanxi, or network).
Your (partial) 2-neighborhood is an extension which includes your FOF relations in Facebook, LinkedIn.
Tracking cookies in our browser can identify us…
Networked Identity 10
Networked Identity 11
Three Types of Relationships
Hierarchical: A superior can observe and control its inferiors. A superior must disclose a signing key (= a cryptographic identity)
to its inferiors; an inferior is unable to observe its superior. An inferior is unable to control its superior, except by performing or
withholding services; the superior can reward or punish the inferior.
Peering: A peer can communicate with other peers on a private network. Peers share an encryption key and a signing key: messages within
the peerage are confidential and authentic.
Aliasing: Entities can play multiple roles, in multiple organisations (as a peer,
inferior, or superior). Entities use different identifiers (e.g. signing keys) when playing
different roles.
WS1’
Cookies as Identifying Agents
12
Browser
Cookie A1
Alice
Cookie A2
WWW
Browser’ WS2’ WS1
Cookie A1’
WS2
Cookie A2’
Alice browses the WWW, visiting WS1 and WS2.
Her browser stores A1, A2. Alice has a networked identity!
Identity in a Hierarchy
Entities in hierarchies have structural identities. Employee #1.2.3 is the third inferior of the second
inferior of the king. Employee #1 is the king: the root of accountability. Asset #1.2.3.1 is controlled by #1.2.3.
Problems: Structural changes (hires, fires, promotions) affect
many identities. Solution: a local namespace for the hierarchy.
Hierarchical identities reveal structure: a security risk. Mitigations: censors, training, detection and (punitive) response, …
Networked Identity 13
Identity in a Peerage
The only way to identify a peer is by messaging: “What is your mother’s maiden name?” “Let’s continue our previous discussion.” “Please sign your messages.”
Peers can eavesdrop on other peers, so challenges can’t be re-used. Diffie-Hellman key exchange: entities provide
a zero-knowledge proof of their randomly-chosen secret.
Networked Identity 14
Repeated Identifications
By using Diffie-Hellman or side-channels, peers can develop reliable pseudonyms. A peer need never reveal their “real name” to
the peerage. The value of a pseudonym is in the reputation
attached to it. A Wikipedia problem: people who
repeatedly abuse their ability to get a new pseudonym with a default reputation. Solution: a complex network (both peering
and hierarchical)15
Networked Identity 16
Complex Identity Structures: Peered
Corporations may join a peer group which manages their identities and reputations.
The peers are aliased to corporate representatives.
Disadvantage: C’ must provide proof that they represent V, in each message to Z.
Company X Company Y
Advantage: completely under the control of the peers.
CC’
V
Corporate Id Consortium P
R
R’
S
S’
Networked Identity 17
Corporate Id Provision: Hierarchical (1)
Company IT reps R, S may purchase identities from provider H, e.g. VeriSign.
Disadvantage: X and Y must use the same identity provider.
Advantage: H strongly controls identities R’, S’.
Company X Company Y
Other disadvantages: difficult for V to link C’ to X. Trustworthiness of H is difficult to assess and assure, especially if Y is not in the same jurisdiction as H.
C
C’
V
Corporate IdProvider H
R
R’
S
S’
Networked Identity 18
Corporate Id Provision: Hierarchical (2)
Companies may be part of a larger hierarchy: a corporation or a government.
Advantage: legal accountability, if R is governmental.
Disadvantage: jurisdictional disputes, and identity confusions, if X or Y are enrolled in more than one registry.
CompanyX
CompanyY
CC’
V
Corporate Registrar R
Disadvantage: X or Y may not be willing to trust the same R.
Networked Identity 19
Corporate Id Provision: Hierarchical (3)
Registrars may form peerages or hierarchies to provide interoperable identities.
C’ should reveal X” to V.
V should reveal Y” to C’.
Disadvantage: multiple credentials are very confusing for users.
CompanyX
CompanyY
CC’
V
Registrar R1
Advantage: single sign-on, if you choose the right credential!
Registrar R2
X’
X” Y”Y’
Crown
DIA SA1
Citizen
SA2
IVS GLSReferee
igovtVID
igovtUVID
VIDat SA1
VIDat SA2
Anonat SA2
VIDfor SA2
DIA Id
IVSVID
VIDfor SA1
SIDfor SA2
SIDfor SA2
SIDfor SA1
NZ’s IVS• A citizen can have
at most one Verified ID (VID) at each agency.
• Anonymised IDs can be created.
• Session IDs are transient.
Advantage #1: representational Our model represents the structural
aspects of NZ’s government-issued identifiers in enough detail to exhibit: Multiple identifiers for each citizen No citizen plays more than one identifiable
role at each service agency. Citizens may have any number of anonyms
at a service agency. Identifiers can be linked by the DIA but not
by the service agencies: the DIA controls the core identity of each citizen.
Networked Identity 21
Advantage #2: revelatory
In secure systems design textbooks, there are three ways to authenticate a claimed identity:1. What you have (a token)
2. What you know (a password)
3. Who you are (a biometric). The DIA consults a referee to
authenticate a claimed identity! Referees are outside the range of the three
usual types, but are a networked identity.Networked Identity 22
Networked Identity 23
Modelling Privacy Requirements
When modelling privacy, organisational boundaries are important but their internal details are unimportant.
New drawing conventions: A hierarchical organisation is a tree of entities in hierarchical
relations, drawn as a triangle. A peerage is a set of communicating entities, drawn as a
circle. [Tracy Thompson, “Circles of Change”, Stanford Social Innovation Review, Fall 2011]
Aliases are indicated by multiple, identical icons. This is a planar dual of the drawing conventions in prior
slides.
Dramatis Personae
• Actors– Alfred, a consumer– BooksRus, a service provider – Judy, a judge
• Objects– Alfred’s private information– BooksRus privacy policy
Alfred’s Simplest Privacy Claim
P+
Four annotations on potential aliases:• Prohibited (P─), Permitted (P+),• Obligated (O+), Exempted (O-).
The “house” shape implies that aliasing of its content is prohibited, unless specifically permitted.
Houses are special cases of hierarchies ( ).
Disclosure to Affiliates
• The BooksRus privacy policy permits the disclosure of customer-private data to its affiliates, partners, and providers e.g. Food4U.
P+P+ by policy; but is this acceptable to Alfred?
O+ O+
A Privacy Context
• Alfred might want to know the identities of all relying parties (BooksRUs, …) who can access his private information.– This is a peerage R.
• If the peerage R uses multiple identity providers, then these form a peerage I.
• The “context” for Alfred’s ID provision is (I, R, p), where p is an object describing the purpose of this provision.
Networked Identity 27
28
Review
• “Point identity” vs. social (networked) identity– A richer set of identification primitives, including
referees.– A graph-theoretic model, rather than an information-
systems/database model. Both have their strengths…
• Applications of this modelling approach– Cookies as identifiers– Typology of identity federations (corporate ID provision)– New Zealand’s Identity Verification Service:
pseudonyms with liveness and uniqueness properties– Eliciting and representing privacy requirements
Copyright (C) The Open Group 2011
Identity Commandments v1.0
Copyright (C) The Open Group 2011
Identity and Core Identity
1. All core identities must be protected to ensure their secrecy and integrity
• Core identifiers must never need to be disclosed and are uniquely and verifiably connected with the related Entity.
• Core identifiers must have a verifiable level of confidence. • Core identifiers must only be connected to a persona via a one-way linkage
(one-way trust). • An Entity has Primacy [primary control] over all the identities and activities of its
personae. • Entities must never be compelled to reveal a persona, or that two (or more)
persona are linked to the same core identity.
30
Root & Core Identity (Jericho)
Physical (real-world) entities have a “root identity”.
Cyberworld entities have a core identity, which is common to all of its role-based identifiers. Root Core persona role organisation
Core and root identities are necessary for accountability, but are highly private: should only be revealed during legal procedures.
Networked Identity 31
User-centric Personas
Most people are aware of having different personas
for friendships, professional relationships. We show different aspects of our personality when we’re
playing the role of “father” than when we’re playing the role of
an “employee”.
We define our own personas: these are user-centric. Others define our roles: these are organisation-
centric. We select a persona for each role that we play.
We may be told that our persona is inappropriate for a role…
An alias is a matching of a persona to a role.
Networked Identity 32
Representing JF IdEA
Networked Identity 33
WS1’
Browser
Cookie A1
Alice core
Cookie A2: a persona for Alice
WWW
Browser’ WS2’ WS1
Cookie A1’
WS2
Cookie A2’: a role for Alice
at WS2
Alice’s browser shouldn’t reveal her “core” (for her other cyber Ids)
Alice’s browser shouldn’t reveal her “root” (physical Id).
Alice root