AusCERT Conference2005
Ur Centric Identity Management
Audun Jøsang and Simon Pope
CRC for Enterpri Distributed Systems Technology(DSTC Pty Ltd)∗欲望近义词
The University of Queensland,4072,Australia
{ajosang,simon.pope}@dstc.edu.au
Abstract
Identity management is traditionally en from the rvice providers’point of view,meaning that it is an activity undertaken by the rvice provider to manage rvice ur identities.Traditional identity man-agement systems are designed to be cost effective and scalable primarily for the rvice providers,but not necessarily for the urs,which often results in poor usability.Urs are,for example,often required to memori multiple passwords for accessing different rvices.This reprents a minor inconvenience if urs only access a few online rvices.However,with the rapid increa in the uptake
of online r-vices,the traditional approach to identity management is already having rious negative effects on the ur experience.The industry has responded by proposing new identity management models to improve the ur experience,but in our view the proposals give little relief to urs at the cost of relatively high increa in rver system complexity.This paper takes a new look at identity management,and propos solutions that are designed to be cost effective and scalable from the urs’perspective,while at the same time being compatible with traditional identity management systems.
1Introduction
When making rvices and resources available through computer networks,there is often a need to know who the urs are and to control what rvices they are entitled to u.In this context,identity manage-ment has two main parts,where thefirst consists of issuing urs with credentials and unique identifiers during the initial registration pha,and the cond consists of authenticating urs and controlling their access to rvices and resources bad on their identifiers and credentials during the rvice operation pha.A problem with many identity management systems is that they are designed to be cost effective from the perspective of the the rvice providers(SP),which sometimes creates inconvenience and poor usability from the urs’perspective.
In addition to being SP centric,traditional identity management systems have largely ignored that it is often equally important for urs to be able to identify rvice providers,as it is for rvice providers to authenticate urs.In the ca of online rvice provision through the web,ur authentication typically takes place on the application layer,whereas SP authentication takes place on the transport layer through the SSL protocol.
∗The work reported in this paper has been funded in part by the Co-operative Rearch Centre for Enterpri Distributed Sys-tems Technology(DSTC)through the Australian Federal Government’s CRC Programme(Department of Education,Science, and Training).
1
Audun Jøsang and Simon Pope
However,the common scam called password phishing illustrates the difficulty of rvice provider authentication with SSL.The practice is perpetrated by attackers posing,for example,as online banks and nding out spam email to people asking them to log on to fal,but genuine looking web sites, which allows the attackers to“phish”identifiers and passwords from unsuspecting urs.The problem is not to due to weak authentication mechanisms,but is due to poor usability of current the SSL cur
ity model.Although strong cryptographic mechanisms are being ud,it can be difficult for urs to know which SP identity has been authenticated.Improved usability,not strengthened cryptography,is needed in order to strengthen urs’ability to authenticate rvice providers in Web interactions.
This paper describes an emerging approach,called ur-centric identity management,that focus on usability and cost effectiveness from the urs’point of view,and that is also compatible with traditional identity management models.
2Identity and Related Concepts
An identity is a reprentation of an entity in a specific application domain.For example,the registered personal data of a bank customer,and possibly also the customer’s physical characteristics as obrved by the bank staff,constitute the identity of that customers within the domain of that bank.Identities are usually related to real world entities.Typical real world entities are people or organisations.A simplifying assumption is that a single identity can not be associated with more than one entity.Shared entities may exist,for example a family identity that corresponds to veral people in a family unit. However,as far as the rvice provider is concerned,it is dealing with one real world entity(the family) and not with multiple individuals.A person or organisation may have
zero or more identities within a given domain.For example,a person may have two identities in a school system becau he or she is both a parent and a teacher at the school.The rules for registering identities within a domain determines whether multiple identities for one entity are permitted.Even if forbidden,multiple identities for the same entity may still occur in the in error or becau of fraud.A person may of cour have different identities in different domains.For example,a person may have one identity associated with being customer in a bank and another identity associated with being an employee in a company.
An identity consists of a t of characteristics,which are called identifiers when ud for identification purpos.The characteristics may or may not be unique within the identity domain.They can have various properties,such as being transient or permanent,lf-lected or issued by an authority,suitable for human interpretation or only by computers.The possible characteristics of an identity may differ, depending on the type of real world entity being identified.For example,a date of birth applies to people,but not to organisations;a national company registration number applies to a company,but not to a person.
The relationship between entities,identities and characteristics/identifiers are shown in Fig.1below.诚信事例
Thefigure illustrates that an entity,such as a person or an organisation,may have multiple identities, and each identity may consist of multiple characteristics that can be unique or non-unique identifiers.
It should be noted that the paration between identity and identifier is blurred in common language usage.The term“identity”often is ud in the n of“identifier”,especially when an identity is recognid by a single unique identifier within a given context.For clarity,the terms“identity”and “identifier”will be ud with their parate specific meanings throughout this paper.
An identity domain is a domain where each identity is unique.A name space of unique identifiers in a domain allows a one-to-one relationship between identities and identifiers.Not every identity char-acteristic can be ud as unique identifiers:for example,a date of birth does not uniquely identify an individual person,becau two or more people can have the same date of birth.A name space of unique identifiers is usually designed bad on specific criteria which,for example,could be that the identifiers 2
Ur Centric Identity Management
Characteristics/
Identifiers
Figure1:Correspondence between entities,identities and characteristics/identifiers.
must be suitable for memorisation by a human or only readable by a computer,that all identifiers have afixed length or that they can haveflexible length etc.It can be quite challenging to define a good name space,and in general,the larger the domain(i.e the more entities one needs to identify),the more difficult it is to define a suitable name space of unique identifiers.For example,a name space of unique identifiers for all humans ems to be politically and practically impossible to achieve.Name spaces must be carefully designed,becau a poor name space design that must be changed at a later stage can result in significant extra costs.For example,when it became clear that the current32bit name space of fixed length Internet Protocol address in IPv4would become to sm
all,a new name space with128bits was designed for IPv6,with the result that IPv4and IPv6address are incompatible.
A pudonym may be ud as unique identifier in some systems for privacy reasons in order to provide an anonymous identity[2].The pudonym is an identifier where only the party that assigned the pudonym knows the real world identity behind it.The pudonyms can be lf-assigned,so that the real world legal persona)behind the pudonym is only known by the owner,and otherwi is hidden to all other parties.Alternatively,the pudonym can be defined and escrowed by a trusted third party who knows the real world identity,and who is able to reveal it under special circumstances such as law enforcement.
3Traditional Ur Identity Management Models
In order to better understand the merits of the ur-centric approach to identity management described in later ctions,this ction takes a clor look at traditional models and current practice.
3.1Isolated Ur Identity Model
The most common identity management model is to let rvice providers act as both credential provi
拔完牙可以吃什么
der and identifier provider to their clients.They control the name space for a specific rvice domain,and allocate identifiers to urs.A ur gets parate unique identifiers from each rvice/identifier provider he transacts with.In addition,each ur will have parate credentials,such as passwords associated with each of their identifiers.This model,which can be called isolated ur identity management,is illustrated in Fig.2below.
3
Audun Jøsang and Simon Pope Legend for this and subquent figures:
Ur
entities
Ur
identifier
Authentication credential
Service access
Service
provision Identity
domain
Identity mapping Personal authentication device (PAD)Service provider identifier Service provider entity Figure 2:Isolated ur identity model.
The identifier and credential indexes in the figure refer to the issuing entity.For example,an identifier and credential with index 1means that it has
第一市场
been issued by SP 1.
This approach might provide simple identity management for rvice providers,but is rapidly be-coming unmanageable for urs.The explosive growth in the number of online rvices bad on this model results in urs being overloaded with identifiers and credentials that they need to manage.Urs are often required to memori passwords,which unavoidably leads to urs forgettin
g passwords to infrequently ud rvices.Forgotten passwords,or simply the fear of forgetting,create a significant bar-rier to usage,resulting in many rvices not reaching their full potential.For important nsitive rvices,where password recovery must be highly cure,forgotten passwords can also significantly increa the cost for the rvice providers.手蜕皮是怎么回事
3.2Federated Ur Identity Model
he federated identity management model attempts to address the type of inefficiencies described in Sec.3.1above.Identity federation can be defined as the t of agreements,standards and technologies that enable a group of rvice providers to recogni ur identifiers and entitlements from other rvice providers within a federated domain.
.Figure 3:Federated ur identity model.In a federated identity domain,agreements are
established between SPs so that identities from dif-ferent SP specific identity domains are recognid
across all domains.The agreements include policy
and technology standards.A mapping is established
between the different identifiers owned by the same
client in different domains,that links the associated
identities.This results in a single virtual identity do-main,as illustrated in Fig.3.When a ur is authen-ticated to a single rvice provider using one of their
identifiers,they are considered to have been identified
and authenticated with all the other rvice providers as well.This happens by passing asrtions between
rvice providers.
Sending an asrtion does not require ur credentials,and the acceptance of ur access asrtions 4
咽喉齿
Ur Centric Identity Management
from one SP to another is bad on trust established by adherence to common policies.
The federation of isolated identifier domains gives the client the illusion that there is a single identifier domain.The ur can still hold parate identifiers for each rvice provider.However,he does not necessarily need to know or posss them all.A single identifier and credential is sufficient for him to access all rvices in the federated domain.This can therefore be ud to provide a Singel-Sign-On (SSO)solution similar to that described in Sec.3.3.3.However,a potential problem is that urs will still have to manage multiple identities and credentials,even if they are not actively using all of them.Therefore,identity federation makes most n when the ur wants to manage only one t of identifiers and credentials.
Technology standards for identity federation include the OASIS Security Asrtion Markup Lan-guage (SAML)[8]and the Liberty Alliance framework [1].Shibboleth [10]is an open source imple-mentation of the federated identity management model.Major vendor are also offering federated iden
tity management solutions.
3.3Centralid Ur Identity Models
In centralid ur identity models,there exists a single identifier and credentials provider that is ud by all rvice providers,either exclusively,or in addition to other identifier and credentials providers.Centralid identity models can be implemented in a number of different ways.Below we describe the common identifier model,the meta-identifier model,and the single sign-on (SSO)model.
3.3.1Common Ur Identity Model
A relatively simple identity management model is to let a parate entity or single authority act as an exclusive ur identifier and credentials provider for all rvice providers.This architecture,which can be called the common ur identity management model ,is illustrated in Fig.4.
去野餐英语.Figure 4:Common ur identity model.In the common ur identity model,a ur can ac-cess all rvice providers using the same t of iden-
tifier and credential.This could,for example,be im-
plemented by having a PKI where a single Certifi-
cate Authority (CA),or subordinate or cross certified
CAs thereof,issue certificates to all urs within the
domain.The identifier name space can for example
be the t of Internet email address that in fact are globally unique.Assuming that all the criteria ne
ces-
sary to operate a PKI are satisfied (which is far from
trivial),urs only need a single t of identifier and
credential to be authenticated by all rvice providers.
On a global scale it would be problematic to u
email address as unique identifiers.For example,email address can be obtained anonymously,peo-
ple can change email address whenever they like,and the same person can have many email address simultaneously,which would be unacceptable for many applications.On a smaller scale,such as within a single organisation where the assignment of email address can be controlled,this model could work well.
5
Audun Jøsang and Simon Pope
3.3.2Meta Ur Identity Model
Service providers can share certain identity related data on a common,or meta,level.This can be implemented by mapping all rvice provider specific identifiers to a meta identifier with which for example the credential can be linked.This is illustrated in Fig.5.
The meta identifier approach is commonly implemented by a so-called meta directory,and is a popu-lar approach for integrating legacy identity management systems in large enterpris.In this ca,all the rvices linked to the meta identity domain are usually under the administration of a single organisation or authority.
.Figure 5:Meta ur identity model.In theory the meta identity model can also pro-
vide an integrated identity management approach for
different rvice providers,but that would require
policy alignment and strong trust between the in-
volved parties.
The unique meta identifier is normally hidden
from urs and only ud internally for identity man-
agement and rvice coordinating purpos.From
a ur perspective,this can be en as password (or
credential)synchronisation across multiple rvice
providers.When the ur changes the password with
one rvice provider,it is
automatically changed with
all the others as well.3.3.3Single-Sign-On Identity Domain A simple extension of the centralid identity man-
agement approaches described in Sec.3.3.1and
Sec.3.3.2could be to allow a ur authenticated by
迭字怎么读one rvice provider,to be considered authenticated by other rvice providers.This is commonly called a Single Sign-On (SSO)solution becau the ur then only needs to authenticate himlf (i.e.sign on)once to access all the rvices.
.Figure 6:SSO identity model.There will normally be one party responsible
for allocating identifiers,issuing credentials and per-
forming the actual authentication as illustrated in
Fig.6.This SSO scenario is very similar to the feder-
ated identifier scenario described in Sec.3.2,except that no mapping of ur identifiers would be needed becau the same identifier is ud by every rvice
provider.Kerberos bad authentication solutions,
where the Kerberos Authentication Server acts as the centralid identifier and credential provider,are in
this category.Microsoft .Net Passport is an example of an SSO implementation for e-commerce,where email address are adopted as ur identifiers.In the .Net Passport model,credential issuance and authentication are centralid functions under Microsoft’s control.
6
