identity-based service interaction mohammad m. r. chowdhury ph.d. candidate unik-university graduate...

Identity-based Service Interaction

Mohammad M. R. Chowdhury

Ph.D. candidate

UniK-University Graduate Center / University of Oslo

SWACOM meeting, Stavanger, June 8, 2007

SWACOM: WP2

About Me?

Education: Ph.D candidate, UniK/Oslo University, July 06 - present MSc., Telecommunication Eng. Helsinki University of

Technology, 2004 BSc., EEE, Bangladesh University of Eng. & Tech., 2002 Work Experience: Ph.D. candidate, UniK, (July 06 - present) Deputy Superintendent Eng., Radio Planning

GrameenPhone/Telenor, Bangladesh Leturer, AIUB, Bangladesh RA & TA, University of Vaasa, Finland

Mohammad M. R. Chowdhury, SWACOM meeting, Stavanger June 08, 2007

Contents Identity: Real world to digital world Related works Role-based identity Integrated identity mechanism for service access Controling corporate and social identities in communities Semantic Identity (SemID) Conclusion Future works


• In philosophy, identity1 is whatever makes an entity definable and recognizable, in terms of possessing a set of qualities or characteristics.

• Identity1 is an umbrella term used throughout the social sciences for an individual's comprehension of him or herself as a discrete, separate entity.

• Digital identity1 also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject.

• An online identity1 is a social identity that network users establish in online communities.

As more more services are accessible in digital world, digital identities and their management will play a vital role in secure service access and privacy …..

Source: 1 Wikipedia


http://en.wikipedia.org/wiki/Philosophy

http://en.wikipedia.org/wiki/Social_sciences

http://en.wikipedia.org/wiki/Digital

http://en.wikipedia.org/wiki/Digital_identity#Digital_subject

http://en.wikipedia.org/wiki/Social_identity

http://en.wikipedia.org/wiki/Online_communities

Identity: Real world to digital world

Real world Identities

Digital world identities

Identity

Digital world

Passwords everywhere

• Gartner says (annual IT security summit 2005) 80% of organizations will reach a password breaking point by 2007.


Our objectives• How to represent user’s identity (role-based identity) and where to

store user’s identity (SIM card + secure identity space in the network)

• Integrated identity mechanism to interact with both remote and proximity services

• Community-aware identity management in corporate and social environment (through semantic web technology)


Related works• ”The Laws of Identity” – By Kim Cameron”……. laws define a unifying identity metasystem that can offer the Internet, the identity

layer it needs ”• Windows Cardspace – ”……..uses variety of virtual cards, each retrieving security token from Identity providers

(that issued cards) for authentication and identification to services.”

• SXIP – ”…….User stores identity data to Homesite (issued by SXIP). Website (SXIP membersite)

consumes identity data by sending SXIP requests for user data from Homesite. Homesite authenticate and identity users.”

• Liberty Alliance Project – ”……. to establish open standards, guidelines and best practices for federated identity

management. It allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. ”

• Smart card vendors – Gemalto, NXP”…….. Developed high capacity SIM card for Identity provision, storing certificates, rights

etc.”


• SXIP, Cardspace provide identity movement over the Internet only

• Cardspace requires user’s PC/terminal always (to use installed cards)

• No integrated approach for remote and proximity service access

What are the alternatives for numerous physical identities (cards) user currently carrying?

• No notion of community-aware identity management and privacy assurance

Related works (cont.)


We propose ’Role-based Identity’


Human roles

Personal roleCorporate

roles

Social roles


Role-based Identity• My digital identity

– My personal identities (PID): Identify ourselves in our very personal interactions, e.g. access financial services

– My corporate identities (CID): Identify ourselves in our corporate/professional interactions, e.g. access work premises, office LAN/VPN

– My social identities (SID): Identify ourselves in our society/ community/ interpersonal interactions, e.g. access to address books, calendar, my community, friends, interests, preferences


Security infrastructure

Identity Example Realisation Location Sequiry Req.

PID Bank

Home admittance

certificate + key

home entry key

SIM

SIM

High

High

CID Office admittance

Temp. visit admittance

Temp. entry key Network Medium

SID Preferences

Attributes

Community relations

foaf

foaf

OWL

Network

Network

Network

Low

Medium

Medium

ESIM (Extended SIM card): SIM card might have two modules - Module 1: low sec. + medium sec. - Module 2: high sec.


Security Requirements

Have to

know

Need to know

Nice to know

Bank transactions

Messenger, email, Intranet

Network access

Services

Realisation:

• Nice to know: SIM card

• Need to Know: SIM + PIN/Password

• Have to know: SIM + PIN + PKI, OTP

• Nice to know: Access to network + Access to network identity space + Access SIDs

• Need to know: Access CIDs

• Have to know: Access PIDs


Integrated Identity Mechanism for Service Access

Fig. Generic architecture of integrated identity mechanism.


Technology out there to control and manage user’s personal identities to interact services

Example: • e-identification through SIM card (activating BankID in SIM card

through SIM+PKI)– BankID in Norway, Sweden

Then what about controling corporate and social identities (preferences, attributes etc.) in

community/group environment to access service or resources?


Motivation


Expectation

• Mushfiq, Josef members of Communication group of UniK, can access each other’s conf. papers but cant access the pictures, only family members can see these ---- Access resources based on relationships (corporate identity), partition data, add privacy

• Mushfiq knows Manav. So, Manav can see which group Mushfiq belongs to. But cant see the other members of the group (As Manav is not a member of Communication group). ----- add privacy


• Can Maria see the photos taken by Frank? Because Maria is mother of Paul, Frank is father of Anna and Paul, Anna both are members if class 2 of Sogn school. --- Access resources based on relationships (corporate identity)

We propose Semantic Web Technology to take care of these expectations.

Expectation


Why Semantic Web?• Current Web – only to present knowledge/web content to humans• Semantic Web (SW) – Next generation of contemporary web in

which content of web is expressed in a form that can be understood, interpreted and used by computers, software agents to find, share and information more easily.

• The semantic web comprises the standards and tools of XML, XML Schema, RDF, RDF Schema and OWL.

• We propose SemID (Semantic Identity) where OWL, Web Ontology Language is used to formalize and define the proposed identity management domain.

• OWL is chosen because it facilitates greater machine interpretability of Web content than that supported by XML, RDF, and RDF Schema (RDF-S) by providing additional vocabulary along with a formal semantics.

• Ontology with foaf is public so cannot support privacy requirements.


SemID • Is proposed to provide role-based access control and privacy

assurance service in project oriented corporate working environment.• Access control and privacy goals are achieved through the formal

definitions of policies and rules using OWL DL (a sub-language of OWL).

USE CASE:


Screen shots of SemID ontology• We model the ontology of the use USE CASE scenario using

protégé-OWL ontology editor platform.


• Identity has Group (hasGroup).• Identity has Visibility (hasVisibility).• Identity has Role (hasRole). • Role has Policy (hasPolicy). • Role has visibility of Group

(hasVisibilityOfGroup).• Policy has Rule (hasRule).• Rule has Subject (hasSubject).• Rule has Resource (hasResource).• Rule has Action (hasAction).


• A Policy (P) represents the privilege reserved for each role in a community and expressed through a set of Rules (R1, R2 , … Rn). Therefore Policy P = {R1, R2, ….Rn}• Essentially a Rule (R) is a function that takes an access request as input and results an action (permit, deny or not applicable).• The Rule is composed of the Subject (S), Resource (R) and Action (A) • In this ontology Subject refers to the Identity (CID), Resource refers

to project resource (Deliverables, documents etc.). This is how Rule takes care of access control service

• hasVisibility and hasVisibilityOfGroup property take care of privacy assurance

For further details log into www.semid.org

Now a software (enterprise content management) can be developed based on the proposed ontology.


http://www.semid.org/

SreenShots of the Software

Conclusion• Role-based identity is proposed.

Distributed in nature (SIM + Network) PIDs in SIM, CIDs in SIM+Network, SIDs in Network.

• Identity-based service access is proposed using mobile infrastructure to meet low to high security requirements. Mobile phone as identity handler.

• Semantic Web can take care of the control of CIDs and SIDs in community environment.

• SemID is proposed in project oriented corporate environment to deal with access control and privacy requirements.


Future works• Extend the current SemID further to add some more roles (like

supervisors etc etc.)• Concepts similar to SemID can be extended to currently open social

community domain to add privacy (LinkedIn and Facebook are open to all registered users!!)

• To invoke identity management ontologies from mobile environment to access services


Thank You?

comments

or suggestions


identity-based service interaction mohammad m. r. chowdhury ph.d. candidate unik-university graduate...

Documents

identity users

social identity

identity providers

identity layer

federated identity management

unifying identity metasystem

user stores identity

digital identity1