identity-based service interaction mohammad m. r. chowdhury ph.d. candidate unik-university graduate...
TRANSCRIPT
Identity-based Service Interaction
Mohammad M. R. Chowdhury
Ph.D. candidate
UniK-University Graduate Center / University of Oslo
SWACOM meeting, Stavanger, June 8, 2007
SWACOM: WP2
About Me?
Education: Ph.D candidate, UniK/Oslo University, July 06 - present MSc., Telecommunication Eng. Helsinki University of
Technology, 2004 BSc., EEE, Bangladesh University of Eng. & Tech., 2002 Work Experience: Ph.D. candidate, UniK, (July 06 - present) Deputy Superintendent Eng., Radio Planning
GrameenPhone/Telenor, Bangladesh Leturer, AIUB, Bangladesh RA & TA, University of Vaasa, Finland
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Contents Identity: Real world to digital world Related works Role-based identity Integrated identity mechanism for service access Controling corporate and social identities in communities Semantic Identity (SemID) Conclusion Future works
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
• In philosophy, identity1 is whatever makes an entity definable and recognizable, in terms of possessing a set of qualities or characteristics.
• Identity1 is an umbrella term used throughout the social sciences for an individual's comprehension of him or herself as a discrete, separate entity.
• Digital identity1 also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject.
• An online identity1 is a social identity that network users establish in online communities.
As more more services are accessible in digital world, digital identities and their management will play a vital role in secure service access and privacy …..
Source: 1 Wikipedia
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Identity: Real world to digital world
Real world Identities
Digital world identities
Identity
Digital world
Passwords everywhere
• Gartner says (annual IT security summit 2005) 80% of organizations will reach a password breaking point by 2007.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Our objectives• How to represent user’s identity (role-based identity) and where to
store user’s identity (SIM card + secure identity space in the network)
• Integrated identity mechanism to interact with both remote and proximity services
• Community-aware identity management in corporate and social environment (through semantic web technology)
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Related works• ”The Laws of Identity” – By Kim Cameron”……. laws define a unifying identity metasystem that can offer the Internet, the identity
layer it needs ”• Windows Cardspace – ”……..uses variety of virtual cards, each retrieving security token from Identity providers
(that issued cards) for authentication and identification to services.”
• SXIP – ”…….User stores identity data to Homesite (issued by SXIP). Website (SXIP membersite)
consumes identity data by sending SXIP requests for user data from Homesite. Homesite authenticate and identity users.”
• Liberty Alliance Project – ”……. to establish open standards, guidelines and best practices for federated identity
management. It allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. ”
• Smart card vendors – Gemalto, NXP”…….. Developed high capacity SIM card for Identity provision, storing certificates, rights
etc.”
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
• SXIP, Cardspace provide identity movement over the Internet only
• Cardspace requires user’s PC/terminal always (to use installed cards)
• No integrated approach for remote and proximity service access
What are the alternatives for numerous physical identities (cards) user currently carrying?
• No notion of community-aware identity management and privacy assurance
Related works (cont.)
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Human roles
Personal roleCorporate
roles
Social roles
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Role-based Identity• My digital identity
– My personal identities (PID): Identify ourselves in our very personal interactions, e.g. access financial services
– My corporate identities (CID): Identify ourselves in our corporate/professional interactions, e.g. access work premises, office LAN/VPN
– My social identities (SID): Identify ourselves in our society/ community/ interpersonal interactions, e.g. access to address books, calendar, my community, friends, interests, preferences
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Security infrastructure
Identity Example Realisation Location Sequiry Req.
PID Bank
Home admittance
certificate + key
home entry key
SIM
SIM
High
High
CID Office admittance
Temp. visit admittance
Temp. entry key Network Medium
SID Preferences
Attributes
Community relations
foaf
foaf
OWL
Network
Network
Network
Low
Medium
Medium
ESIM (Extended SIM card): SIM card might have two modules - Module 1: low sec. + medium sec. - Module 2: high sec.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Security Requirements
Have to
know
Need to know
Nice to know
Bank transactions
Messenger, email, Intranet
Network access
Services
Realisation:
• Nice to know: SIM card
• Need to Know: SIM + PIN/Password
• Have to know: SIM + PIN + PKI, OTP
• Nice to know: Access to network + Access to network identity space + Access SIDs
• Need to know: Access CIDs
• Have to know: Access PIDs
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Integrated Identity Mechanism for Service Access
Fig. Generic architecture of integrated identity mechanism.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Technology out there to control and manage user’s personal identities to interact services
Example: • e-identification through SIM card (activating BankID in SIM card
through SIM+PKI)– BankID in Norway, Sweden
Then what about controling corporate and social identities (preferences, attributes etc.) in
community/group environment to access service or resources?
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Expectation
• Mushfiq, Josef members of Communication group of UniK, can access each other’s conf. papers but cant access the pictures, only family members can see these ---- Access resources based on relationships (corporate identity), partition data, add privacy
• Mushfiq knows Manav. So, Manav can see which group Mushfiq belongs to. But cant see the other members of the group (As Manav is not a member of Communication group). ----- add privacy
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
• Can Maria see the photos taken by Frank? Because Maria is mother of Paul, Frank is father of Anna and Paul, Anna both are members if class 2 of Sogn school. --- Access resources based on relationships (corporate identity)
We propose Semantic Web Technology to take care of these expectations.
Expectation
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Why Semantic Web?• Current Web – only to present knowledge/web content to humans• Semantic Web (SW) – Next generation of contemporary web in
which content of web is expressed in a form that can be understood, interpreted and used by computers, software agents to find, share and information more easily.
• The semantic web comprises the standards and tools of XML, XML Schema, RDF, RDF Schema and OWL.
• We propose SemID (Semantic Identity) where OWL, Web Ontology Language is used to formalize and define the proposed identity management domain.
• OWL is chosen because it facilitates greater machine interpretability of Web content than that supported by XML, RDF, and RDF Schema (RDF-S) by providing additional vocabulary along with a formal semantics.
• Ontology with foaf is public so cannot support privacy requirements.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
SemID • Is proposed to provide role-based access control and privacy
assurance service in project oriented corporate working environment.• Access control and privacy goals are achieved through the formal
definitions of policies and rules using OWL DL (a sub-language of OWL).
USE CASE:
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Screen shots of SemID ontology• We model the ontology of the use USE CASE scenario using
protégé-OWL ontology editor platform.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
• Identity has Group (hasGroup).• Identity has Visibility (hasVisibility).• Identity has Role (hasRole). • Role has Policy (hasPolicy). • Role has visibility of Group
(hasVisibilityOfGroup).• Policy has Rule (hasRule).• Rule has Subject (hasSubject).• Rule has Resource (hasResource).• Rule has Action (hasAction).
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
• A Policy (P) represents the privilege reserved for each role in a community and expressed through a set of Rules (R1, R2 , … Rn). Therefore Policy P = {R1, R2, ….Rn}• Essentially a Rule (R) is a function that takes an access request as input and results an action (permit, deny or not applicable).• The Rule is composed of the Subject (S), Resource (R) and Action (A) • In this ontology Subject refers to the Identity (CID), Resource refers
to project resource (Deliverables, documents etc.). This is how Rule takes care of access control service
• hasVisibility and hasVisibilityOfGroup property take care of privacy assurance
For further details log into www.semid.org
Now a software (enterprise content management) can be developed based on the proposed ontology.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Conclusion• Role-based identity is proposed.
Distributed in nature (SIM + Network) PIDs in SIM, CIDs in SIM+Network, SIDs in Network.
• Identity-based service access is proposed using mobile infrastructure to meet low to high security requirements. Mobile phone as identity handler.
• Semantic Web can take care of the control of CIDs and SIDs in community environment.
• SemID is proposed in project oriented corporate environment to deal with access control and privacy requirements.
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007
Future works• Extend the current SemID further to add some more roles (like
supervisors etc etc.)• Concepts similar to SemID can be extended to currently open social
community domain to add privacy (LinkedIn and Facebook are open to all registered users!!)
• To invoke identity management ontologies from mobile environment to access services
Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007