1 / 11

Thoughts on Personal Identity Platforms William I. MacGregor IDTrust 2010

Thoughts on Personal Identity Platforms William I. MacGregor IDTrust 2010. Foreword. This is a thought experiment…. ...to show feasibility…. ...and is doubtless reinvention. National Strategy for Secure Online Transactions.

gerda
Download Presentation

Thoughts on Personal Identity Platforms William I. MacGregor IDTrust 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thoughts onPersonal Identity PlatformsWilliam I. MacGregorIDTrust 2010 1

  2. Foreword This is a thought experiment… ...to show feasibility… ...and is doubtless reinvention. 2

  3. National Strategy for Secure Online Transactions “To improve trustworthiness and security of online transactions by … interoperable trust frameworks and … improved authentication technology and processes … across federal, civil, and private sectors.” - SecureIDNews, 1Apr2010, by Zack Martin • Protect Privacy: secure PII & transaction data • Defeat Fraud: reduce losses & improve recovery • Promote Confidence: increase trust in online transactions 3

  4. Three Questions • Could leakage of subject authenticators be prevented? • What are the characteristics of a solution to Question 1? • Does strong attribute assurance require strong identity assurance? 4

  5. Personal Identity PlatformAn answer to Question 1 Subject Authenticators Secure Online Transactions SUBJECT AUTHENTICATION PLATFORM AUTHENTICATION Crypto Authentication Transaction 1 V1: Credential 1 Subject Authentication Vector PIN, Password, Passphrase, etc. VN: Credential N Transaction 1 Biometrics The subject trusts the PIP to present only the selected credential; the relying party trusts the PIP to perform subject authentication first. 5

  6. Characteristics of PIPAn answer to Question 2 • The PIP is a trust intermediary between the subject and relying party • Only the Subject Authentication Vector is known to Credentials • Credentials belong to the subject because they reside on the subject’s PIP • “Platform authentication” is also “SAML generation” or “session key agreement” 6

  7. Requirements for a PIPAnother answer to Question 2 • The PIP must be available to, and controlled by, the subject • The PIP must be a competent computing device or system • HIDs, biometrics, crypto, comm, clock, etc. • The PIP must be coupled into the subject’s transaction stream What have I left out? 7

  8. Strong Attribute AssuranceAn answer to Question 3 Attribute Provider 2 S((Age>=21, Bio, H(KDH))S?, FPN-Subject) Relying Party 1 E((Age>=21)?, KDH) 3 S((Age>=21, Bio, H(KDH)), FPN-AP) 4 E(S((Age>=21, Bio, H(KDH)), FPN-AP), KDH) Subject (PIP) 8

  9. The ResultThe answer to Question 3: No • The PIP claims that FPN-Subject is bio authenticated, and the PIP in session H(KDH) • The AP claims that subject Age>=21 is bio authenticated, for PIP in session H(KDH) • The RP trusts the PIP and AP, so believes the authenticated subject has Age>=21 • The AP does not learn the RP; the RP does not learn any static subject identifier 9

  10. About Attributes • Why have Attribute Providers and Identity Providers? • Go to the source—IDPs aren’t all sources • Why have dynamic attributes? • Attributes change—shouldn’t be in static credentials • Examples • Conditions of probation • Permit to carry • EMT certification 10

  11. Thanks for listening!Useful references U-Prove ISO/IEC 24727 SASSO https://connect.microsoft.com/content/content.aspx?contentid=12505&siteid=642 Selective attribute delivery designed to meet privacy objectives. http://csrc.nist.gov/publications/nistir/ir7611/nistir7611_use-of-isoiec24727.pdf Standard for construction of platforms like PIP. http://www.projectliberty.org/liberty/content/download/3960/26523/file/NTT-SASSO%20liberty%20case%20study.pdf Implementation of a federated IDP provider in a USIM smart card in a mobile phone. 11

More Related