Doug Bellows – Inteliquent 3/18/2019

Slides:



Advertisements
Similar presentations
Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Chapter 10: Authentication Guide to Computer Network Security.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Lecture 10 Single Sign-On systems. What is Single Sign-on? Lets users authenticate themselves once and access different applications without re-authentication.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Timeline – Standards & Requirements
STI Interworking with SIP-PBXs
TN Proof-of-Possession and Number Portability
Federation made simple
Timeline - ATIS Involvement
Cryptography and Network Security
Authentication.
Radius, LDAP, Radius used in Authenticating Users
SHAKEN Governance Authority Criteria
Authentication Applications
Network Services Interface
Chris Wendt, David Hancock (Comcast)
Timeline - ATIS Involvement
KMIP Client Registration Ideas for Discussion
Verstat Related Best Practices
SHAKEN Jim McEachern Senior Technology Consultant ATIS December 2017.
RFC PASSporT Construction 6.2 Verifier Behavior
Technical Approach Chris Louden Enspier
Doug Bellows – Inteliquent 10/4/2018
David L. Wasley Spring 2006 I2MM
SHAKEN & Know Your Customer
TN-PoP Scenarios Jim McEachern Principal Technologist ATIS August 2018.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
SHAKEN Jim McEachern Senior Technology Consultant ATIS December 2017.
Appropriate Access InCommon Identity Assurance Profiles
IPNNI SHAKEN Enterprise Models: LEMON TWIST
SHAKEN for Presented to: Ericsson Contact:
Calling Party Identity
Enterprise Use Cases and A-Level Attestation
Enterprise Certificates DRAFT
Enterprise Use Cases and A-Level Attestation
STIR / SHAKEN for 911 use of SHAKEN 8/7/2019
Calling Party Identity
Enterprise Certificates
Toll-Free Number Assignment and Administration – SHAKEN/STIR Delegate Certificates Enterprise Origination Julio Armenta
Presentation transcript:

Doug Bellows – Inteliquent 3/18/2019 Customer/End User Identity and Authentication and Process to Determine TN Authorization for SHAKEN Attestation – Potential Methods Doug Bellows – Inteliquent 3/18/2019

Source: Inteliquent, Inc. Originating SP Terminating SP Security services for customer UNI - defined outside of SHAKEN Indirect end-user interface - proxy, b2bua, protocol adaptor, etc. User Identification User Authentication User-to-TN Authorization To analytics, display, terminating UNI call control, etc. UA of direct user/originating SP customer (customer is end-user) UA of Indirect end users STI-AS STI-VS Identity header population/attestation/signing Verify signature, Originating SP Identity, Parameter integrity UA UAi Defined by SHAKEN UAi UA UAi UA of Reseller or VASP customer of Originating SP (customer may not be end user) CSCF CSCF UAi User-to-Network Interface Network-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

UNI Security Services for SHAKEN Attestation Customer Identity Determine “real-world identity,” establish identifiers for UNI authentication Customer authentication Exchange credentials for UNI authentication (shared secrets, keys/certificates, IP ACLs/protected network paths, etc.), establish authenticated UNI Authorization to use TNs (determine customer’s “association” to TN) Positive controls (e.g. screening database) or control by customer agreements and policy, if positive controls are used they are consulted per call 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Possible Method for Exchanging Customer TN Authorizations between Assigning and Originating SPs Originating SP AND assigning SP establish customer identity Customer “real-world identity” determined e.g. by EV methodology, SPs authenticate customer’s right to the identity, e.g. by a PKI signature tied to an EV certificate. Customer identity must use a globally recognizable and verifiable identifier (e.g. X.509 DN or other unique and verifiable attribute). Customer authentication Originating SP bilaterally establishes and uses customer UNI credentials as usual Authorization to use TNs (determine customer’s “association” to TN) Assigning SP provides a “letter of authorization” to originating SP declaring TN assignment to customer (signed digital document containing customer ID and list of assigned TNs). Originating SP populates TNs in “authorized TN” database 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange CustID:TN Auth Universally verifiable ID (e.g. EV certificate methods) Customer Entity Cust ID Credentials UA User Identification User Authentication User-to-TN Authorization Standard UNI authentication and session setup STI-AS CSCF To IP-NNI User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange LoA (CustID:TN Auth) CustID:TN Auth Universally verifiable ID (e.g. EV certificate methods) Customer Entity CustID Credentials UA User Identification User Authentication User-to-TN Authorization Standard UNI authentication and session setup STI-AS CSCF To IP-NNI User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange LoA (CustID:TN Auth) CustID:TN Auth Multiple Indirect end users Customer Entity (Reseller/VASP) CustID Credentials UA User Identification User Authentication User-to-TN Authorization UAi UAi UAi STI-AS UAi Indirect interface CSCF To IP-NNI TN traces to customer – customer responsible for traceability to subtending end user entities User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Extending TN authorization exchange to indirect end users – administrative plane Assigning SP Identifies and assigns TNs to end user entity Same type of identity proofing as for customer TN authorization Customer identifies end user and provides end user identity to originating SP Assigning SP sends LoA tied to end user identity (EuID) to originating SP. Originating SP populates an end-user authorization database and authorized TN database. 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Assigning SP Admin Plane Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment LoA (EuID: TN Auth) CustID:EuID Auth EuID:TN Auth Indirect End User Entity Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi User Identification User Authentication User-to-TN Authorization EU Auth Request (CustID:EuID Auth) STI-AS CSCF To IP-NNI TN traces to end user entity, end user authorized by customer User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Extending TN authorization exchange to indirect end users – service plane Customer authenticates end user Choices at customer UNI to originating SP: Proxy authentication (only customer authenticates EU and passes EuID with call) – problematic from a “spoof-ability” standpoint Customer passes through authentication transaction between EU and originating SP using shared credentials, or passes through signature with call (like TNPoP but certs tied to EuID not TN) Originating SP checks EuID:TN authorization database for a match. 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Originating SP Admin and Service Planes CustID:EuID Auth EuID:TN Auth Indirect End User Entity Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi User Identification User Authentication User-to-TN Authorization Pass-through authentication of EU more secure than proxy authentication STI-AS Indirect interface CSCF To IP-NNI TN traces to end user entity, end user authorized by customer User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Other considerations Customer TN authorization via LoA requires only administrative plane changes, no change in service plane End-user authorization requires an additional authorization step (EuID to CustID) and an additional authentication relationship (EU to originating SP) Limits credentials that need to be exchanged in real time In exchange for TN authorization, end-user identity is exposed to additional parties (customer’s originating SPs) to assure traceability 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Delegation TN Assignee: Customer Customer’s customer (C2) Third-party assignee End-user (entity originating the call): Customer’s customer (Indirect end-user) Additional indirection levels (C3-n) 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Delegation Delegation (assignee delegates TN use to EU): C2 to Customer Customer to C2 Third-party to Customer Third-party to C2 Etc. Assigning SP would need to track delegation relationships and provide an additional LoA indicating both the assignee and the EU authorized by the assignee There may be two (or more) LoAs for the same TN, one for the assignee directly and one for each delegate, tied to different EU identities 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Assigning SP Admin Plane Originating SP Admin and Service Planes TN Assignment Identity proofing/credentials exchange LoA (3P->EuID: TN Auth) EuID:TN Auth CustID:EuID Auth 3rd party assignee 3P->EuID:TN Auth Indirect End User Entity User Identification User Authentication User-to-TN Authorization Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi STI-AS CSCF To IP-NNI EU Auth Request (CustID:EuID Auth) 3/18/2019 Source: Inteliquent, Inc.

Source: Inteliquent, Inc. Takeaways Authenticating customers and end users removes some of the ambiguity of relying on the TN identifier by itself and requires fewer credentials Requires a consistent identity scheme for TN assignees and service users Moves the complexity of authorization management to the administrative plane – fewer changes to the service plane 3/18/2019 Source: Inteliquent, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.