Networked Identity Clark Thomborson 16 March 2012 for NIST 1.

Networked Identity

Clark Thomborson

16 March 2012

for NIST1

2

This seminar

“Point identity” vs. social (networked) identity Applications

Cookies as identifiers Typology of identity federations (corporate ID provision) New Zealand’s Identity Verification Service:

pseudonyms with liveness and uniqueness properties Eliciting and representing privacy requirements

The Jericho Forum’s Identity Commandments Personas, roles Core identities, root identities

What is an “identity”?

Uniqueness An identity is knowledge about an entity and a

population, sufficient to distinguish the entity from all other entities in the population.

A “k-identifiable entity” is in an equivalence class of size k.

Learning about the population may reduce k. Persistence

If an entity is identifiable, it will (probably) be identifiable in the future.

Changes to populations, entities, and knowledge affect identifiability.

Often “defined away”, by assuming a static population and context.

3

(precision)

(accuracy: repeatability)

Is an IP address an identifier?

Yes, if we Assume a static world (or require only weak

persistence), or Have additional information to distinguish the

current users of this address (or require only k-identifiability)

No, if we Require strong persistence, 1-identifiability, or Have insufficient additional information to

identify an individual with the (contextually) required level of persistence and precision.

Networked Identity 4

Duns Scotus, 13th C.

Haecceity (“thisness”) Information distinguishing an individual from

any number of other individuals (in a given population)

Quiddity (“whatness”, or natura communis) Information distinguishing a population from

any number of other populations (in a given universe)

Networked Identity 5

Current Practice: Point Id

We distinguish identification (a claim to an identity), from authentication (proof, or support, for a claimed

identity). Three types of identifiers and authenticators:

1. “What you know” (e.g. login/password)

2. “What you have” (e.g. smartcard)

3. “Who you are” (e.g. fingerprint) Can we learn from Scotus? (We’re focussing

on the individual, with no explicit reference to the population…) Networked Identity 6

A graph-theoretic view…

If we model… People (and things) as nodes Their relations as edges Visible attributes as node-labels Types of relations as edge-labels

Then … “What you are” is your node-label. “What you have” is your possession-relation to

your identifiable object. “What you know” is a label describing a message,

sent on your communication-relation path to an identity querent. Networked Identity 7

Reduction to Graph Isomorphism Identification is a problem of subgraph

isomorphism. Given a labeled graph P (the population) and a

labeled graph Q (the query), how many “matches” are there for Q in P?

Q can have wildcards (partial matches) In “Who you are” identification,

Q is a single node. In “What you have” identification,

Q is two nodes in a possessor-possessed relation.

Networked Identity 8

Other types of identification In “What you know” identification,

Q is a communication-relation path, from the identified node to the querent.

There are some feasibility constraints. In a “what you know” identification, there must be a

bidirectional communication-relation path between the querent and the identified node (challenge / response).

In a “who you are” identification, the identified node must be in an observed-relation to a node that is on a communication-path to the querent.

In a “what you have” identification, an observation of the identifiable object, and of its “possession relation” (a.k.a. tethering) to the identified node, must be communicated to the querent.

Networked Identity 9

Networked Identity More complex Q: “What is your network?”

Your (partial) 1-neighbourhood is an extension of “what you have” -- to include the people you can communicate with, observe, or control. (Chinese: guanxi, or network).

Your (partial) 2-neighborhood is an extension which includes your FOF relations in Facebook, LinkedIn.

Tracking cookies in our browser can identify us…

Networked Identity 10

Networked Identity 11

Three Types of Relationships

Hierarchical: A superior can observe and control its inferiors. A superior must disclose a signing key (= a cryptographic identity)

to its inferiors; an inferior is unable to observe its superior. An inferior is unable to control its superior, except by performing or

withholding services; the superior can reward or punish the inferior.

Peering: A peer can communicate with other peers on a private network. Peers share an encryption key and a signing key: messages within

the peerage are confidential and authentic.

Aliasing: Entities can play multiple roles, in multiple organisations (as a peer,

inferior, or superior). Entities use different identifiers (e.g. signing keys) when playing

different roles.

WS1’

Cookies as Identifying Agents

12

Browser

Cookie A1

Alice

Cookie A2

WWW

Browser’ WS2’ WS1

Cookie A1’

WS2

Cookie A2’

Alice browses the WWW, visiting WS1 and WS2.

Her browser stores A1, A2. Alice has a networked identity!

Identity in a Hierarchy

Entities in hierarchies have structural identities. Employee #1.2.3 is the third inferior of the second

inferior of the king. Employee #1 is the king: the root of accountability. Asset #1.2.3.1 is controlled by #1.2.3.

Problems: Structural changes (hires, fires, promotions) affect

many identities. Solution: a local namespace for the hierarchy.

Hierarchical identities reveal structure: a security risk. Mitigations: censors, training, detection and (punitive) response, …

Networked Identity 13

Identity in a Peerage

The only way to identify a peer is by messaging: “What is your mother’s maiden name?” “Let’s continue our previous discussion.” “Please sign your messages.”

Peers can eavesdrop on other peers, so challenges can’t be re-used. Diffie-Hellman key exchange: entities provide

a zero-knowledge proof of their randomly-chosen secret.

Networked Identity 14

Repeated Identifications

By using Diffie-Hellman or side-channels, peers can develop reliable pseudonyms. A peer need never reveal their “real name” to

the peerage. The value of a pseudonym is in the reputation

attached to it. A Wikipedia problem: people who

repeatedly abuse their ability to get a new pseudonym with a default reputation. Solution: a complex network (both peering

and hierarchical)15

Networked Identity 16

Complex Identity Structures: Peered

Corporations may join a peer group which manages their identities and reputations.

The peers are aliased to corporate representatives.

Disadvantage: C’ must provide proof that they represent V, in each message to Z.

Company X Company Y

Advantage: completely under the control of the peers.

CC’

V

Corporate Id Consortium P

R

R’

S

S’

Networked Identity 17

Corporate Id Provision: Hierarchical (1)

Company IT reps R, S may purchase identities from provider H, e.g. VeriSign.

Disadvantage: X and Y must use the same identity provider.

Advantage: H strongly controls identities R’, S’.

Company X Company Y

Other disadvantages: difficult for V to link C’ to X. Trustworthiness of H is difficult to assess and assure, especially if Y is not in the same jurisdiction as H.

C

C’

V

Corporate IdProvider H

R

R’

S

S’

Networked Identity 18

Corporate Id Provision: Hierarchical (2)

Companies may be part of a larger hierarchy: a corporation or a government.

Advantage: legal accountability, if R is governmental.

Disadvantage: jurisdictional disputes, and identity confusions, if X or Y are enrolled in more than one registry.

CompanyX

CompanyY

CC’

V

Corporate Registrar R

Disadvantage: X or Y may not be willing to trust the same R.

Networked Identity 19

Corporate Id Provision: Hierarchical (3)

Registrars may form peerages or hierarchies to provide interoperable identities.

C’ should reveal X” to V.

V should reveal Y” to C’.

Disadvantage: multiple credentials are very confusing for users.

CompanyX

CompanyY

CC’

V

Registrar R1

Advantage: single sign-on, if you choose the right credential!

Registrar R2

X’

X” Y”Y’

Crown

DIA SA1

Citizen

SA2

IVS GLSReferee

igovtVID

igovtUVID

VIDat SA1

VIDat SA2

Anonat SA2

VIDfor SA2

DIA Id

IVSVID

VIDfor SA1

SIDfor SA2

SIDfor SA2

SIDfor SA1

NZ’s IVS• A citizen can have

at most one Verified ID (VID) at each agency.

• Anonymised IDs can be created.

• Session IDs are transient.

Advantage #1: representational Our model represents the structural

aspects of NZ’s government-issued identifiers in enough detail to exhibit: Multiple identifiers for each citizen No citizen plays more than one identifiable

role at each service agency. Citizens may have any number of anonyms

at a service agency. Identifiers can be linked by the DIA but not

by the service agencies: the DIA controls the core identity of each citizen.

Networked Identity 21

Advantage #2: revelatory

In secure systems design textbooks, there are three ways to authenticate a claimed identity:1. What you have (a token)

2. What you know (a password)

3. Who you are (a biometric). The DIA consults a referee to

authenticate a claimed identity! Referees are outside the range of the three

usual types, but are a networked identity.Networked Identity 22

Networked Identity 23

Modelling Privacy Requirements

When modelling privacy, organisational boundaries are important but their internal details are unimportant.

New drawing conventions: A hierarchical organisation is a tree of entities in hierarchical

relations, drawn as a triangle. A peerage is a set of communicating entities, drawn as a

circle. [Tracy Thompson, “Circles of Change”, Stanford Social Innovation Review, Fall 2011]

Aliases are indicated by multiple, identical icons. This is a planar dual of the drawing conventions in prior

slides.

Dramatis Personae

• Actors– Alfred, a consumer– BooksRus, a service provider – Judy, a judge

• Objects– Alfred’s private information– BooksRus privacy policy

Alfred’s Simplest Privacy Claim

P+

Four annotations on potential aliases:• Prohibited (P─), Permitted (P+),• Obligated (O+), Exempted (O-).

The “house” shape implies that aliasing of its content is prohibited, unless specifically permitted.

Houses are special cases of hierarchies ( ).

Disclosure to Affiliates

• The BooksRus privacy policy permits the disclosure of customer-private data to its affiliates, partners, and providers e.g. Food4U.

P+P+ by policy; but is this acceptable to Alfred?

O+ O+

A Privacy Context

• Alfred might want to know the identities of all relying parties (BooksRUs, …) who can access his private information.– This is a peerage R.

• If the peerage R uses multiple identity providers, then these form a peerage I.

• The “context” for Alfred’s ID provision is (I, R, p), where p is an object describing the purpose of this provision.

Networked Identity 27

28

Review

• “Point identity” vs. social (networked) identity– A richer set of identification primitives, including

referees.– A graph-theoretic model, rather than an information-

systems/database model. Both have their strengths…

• Applications of this modelling approach– Cookies as identifiers– Typology of identity federations (corporate ID provision)– New Zealand’s Identity Verification Service:

pseudonyms with liveness and uniqueness properties– Eliciting and representing privacy requirements

Copyright (C) The Open Group 2011

Identity Commandments v1.0

Copyright (C) The Open Group 2011

Identity and Core Identity

1. All core identities must be protected to ensure their secrecy and integrity

• Core identifiers must never need to be disclosed and are uniquely and verifiably connected with the related Entity.

• Core identifiers must have a verifiable level of confidence. • Core identifiers must only be connected to a persona via a one-way linkage

(one-way trust). • An Entity has Primacy [primary control] over all the identities and activities of its

personae. • Entities must never be compelled to reveal a persona, or that two (or more)

persona are linked to the same core identity.

30

Root & Core Identity (Jericho)

Physical (real-world) entities have a “root identity”.

Cyberworld entities have a core identity, which is common to all of its role-based identifiers. Root Core persona role organisation

Core and root identities are necessary for accountability, but are highly private: should only be revealed during legal procedures.

Networked Identity 31

User-centric Personas

Most people are aware of having different personas

for friendships, professional relationships. We show different aspects of our personality when we’re

playing the role of “father” than when we’re playing the role of

an “employee”.

We define our own personas: these are user-centric. Others define our roles: these are organisation-

centric. We select a persona for each role that we play.

We may be told that our persona is inappropriate for a role…

An alias is a matching of a persona to a role.

Networked Identity 32

Representing JF IdEA

Networked Identity 33

WS1’

Browser

Cookie A1

Alice core

Cookie A2: a persona for Alice

WWW

Browser’ WS2’ WS1

Cookie A1’

WS2

Cookie A2’: a role for Alice

at WS2

Alice’s browser shouldn’t reveal her “core” (for her other cyber Ids)

Alice’s browser shouldn’t reveal her “root” (physical Id).

Alice root