Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Concepts of (Id)entity, Nymity and Authentication Roger Clarke, Xamax Consultancy, Canberra Visiting Professor/Fellow, Unis. of Hong Kong, U.N.S.W.,

Published byFriederike Beckenbauer Modified over 6 years ago

Similar presentations

Presentation on theme: "The Concepts of (Id)entity, Nymity and Authentication Roger Clarke, Xamax Consultancy, Canberra Visiting Professor/Fellow, Unis. of Hong Kong, U.N.S.W.,"— Presentation transcript:

1 The Concepts of (Id)entity, Nymity and Authentication Roger Clarke, Xamax Consultancy, Canberra Visiting Professor/Fellow, Unis. of Hong Kong, U.N.S.W., ANU /DV/UOttINA{.html,.ppt} Uni of Ottawa – ‘On the Identity Trail’ – 10 Jun 2004

2 Defining Aphorisms of Cyberspace
Cyberspace is a shared hallucination There's no 'there' there The Net treats censorship as damage and routes around it National borders are just roadbumps on the information superhighway National borders are not even roadbumps on the information superhighway The street finds its own uses for things Information wants to be free

3 Defining Aphorisms of Cyberspace The New Yorker 5 July 1993

4 What’s the Message ?? You mean people lie on the Internet?
Reputation matters, not who you are. Your attributes matter, not who you are. I bark for ‘Spotty‘ here. Trust me. This bone‘s been aged in loam for three months. Trust me. I’m ‘Blacky’, from No. 43 up the street. I’m the same dog you chatted to yesterday. It’s me. Here smell this.

5 Agenda (Id)entity Nymity Authentication (Id)entifiers (Id)entification
Biometrics Nymity Ano Pseudo Gentle PETs Authentication Assertion Types (Id)entity Authentication

6 Names Codes Roles

7

8

9 Identity Entity A particular presentation of an Entity
May correspond to a Role played by the Entity Entity A real-world thing Objects, Animals, Artefacts, Natural Persons, Legal Persons

10 (Id)entified Transactions and Records
A Transaction or Record in which the data can be associated with one or more (Id)entities Examples Order paid with an identified credit card Order for delivery to a person at an address The folder in your doctor’s surgery Your entry in the driver licensing registry

11 (Id)entifier One or more attributes of an (Id)entity
(represented in transactions and records as one or more data-items) sufficient to distinguish that (Id)entity from other instances of its class (cf. a ‘candidate key’ in relational data modelling)

12 Human Identifiers Appearance how the person looks
Social how the person interacts with others Behaviour Names what the person is called by other people Codes what the person is called by an organisation Knowledge what the person knows Tokens what the person has

13 (Id)entification The process whereby data is associated with a particular (Id)entity It is performed by acquiring an (Id)entifier

14 Artefacts and Their Identities
Entity Entifier Computer Processor-Id NICId as Proxy Mobile-Phone Mobile-Phone Id Identity Identifier Computer Process Process-Id, IP-Address SIM-Card SIM-Card Id

15 Human Entifiers Commonly: ‘Biometrics’
Bio-Dynamics What the person does Natural What the person is Physiography Imposed Physical What the person is now Characteristics

16 Terminology 'A Biometric' is a measurable physical or behavioural characteristic of a human being So 'Biometrics' refers to measures of people 'Biometrics Technologies' are technologies that produce and process measures of people So ‘Biometrics’ also refers to technologies

17 Possible Biometrics Currently in Vogue Iris
Thumbprint Hand Geometry Voice Face Special Case DNA Promised Body Odour Multi-Attribute Variously Dormant or Extinct Cranial Measures Face Thermograms Veins (hands, earlobes) Retinal Scan Handprint Written Signature Keystroke Dynamics Skin Optical Reflectance ...

18 Agenda (Id)entity Nymity Ano Pseudo Gentle PETs Authentication
(Id)entifiers (Id)entification Biometrics Nymity Ano Pseudo Gentle PETs Authentication Assertion Types (Id)entity Authentication

19 An Anonymous Transaction or Record
A Transaction or Record in which the data cannot be associated with an Entity (whether from the transaction alone, or by combining it with other data) Examples Bus-rides Cups of coffee Calls from a public phone

20 A Pseudonymous Transaction or Record
A Transaction or Record in which the data cannot, in the normal course of events, be associated with a particular Entity The data may, however, be indirectly associated with the entity, if particular procedures are followed e.g. the issuing of a search warrant authorising access to an otherwise closed index Examples: HIV/AIDS research, share-trading, phone-calls with CLI, all Internet transactions

21 Identifiers, Entifiers, Nyms

22 Common Nymous Transactions
Barter transactions Visits to Enquiry Counters in government agencies and shops Inspection of publications on library premises Telephone Enquiries Access to Public Documents by electronic means, at a kiosk or over the Internet Cash Transactions, incl. the myriad daily payments for inexpensive goods and services, gambling and road-tolls Voting in secret ballots Treatment at discreet clinics, particularly for sexually transmitted diseases

23 Applications of Pseudonymity
Epidemiological Research (HIV/AIDS) Financial Exchanges, including dealing in commodities, stocks, shares, derivatives, and foreign currencies Nominee Trading and Ownership Banking Secrecy, incl. ‘Swiss’ / Austrian bank accounts Political Speech Artistic Speech Call Centres Counselling Phone-calls with CLI Internet Transactions 'Anonymous' r ers Chaumian eCash™

24 Common Uses for Nymity Criminal purposes Dissent and sedition
Scurrilous rumour-mongering To avoid being found by people who wish to inflict physical harm (e.g. ex-criminal associates, religious zealots, over- enthusiastic fans, obsessive stalkers) To protect the sources of journalists, and whistle-blowers To avoid unjustified exposure of personal data To keep data out of the hands of marketing organisations To prevent government agencies using irrelevant and outdated information

25 Nym One or more attributes of an Identity (represented in transactions and records as one or more data-items) sufficient to distinguish that Identity from other instances of its class but not sufficient to enable association with a specific Entity Pseudonym – association is not made, but possible Anonym – association is not possible

26 Nyms are Normal, and Mainstream
aka ('also-known-as'), alias, avatar, character, nickname, nom de guerre, nom de plume, manifestation, moniker, persona, personality, profile, pseudonym, pseudo-identifier, sobriquet, stage-name Cyberpace has adopted, and spawned more: account, alias, avatar, handle, nick, nickname, persona, personality

27 Effective Pseudonymity The Necessary Protections
Legal Protections Organisational Protections Technical Protections Over-ridability of Protections BUT subject to conditions being satisified, e.g. collusion among multiple parties legal authority

28 Privacy Enhancing Technologies (PETs)
Tools, Standards and Protocols that directly assist in the protection of privacy They are usefully categorised into: Pseudo-PETs PIT Countermeasures Savage PETs Gentle PETs

29 Pseudo-PETs Meta-Brands TRUSTe WebTrust CPA WebTrust
Better Business Bureau eTick (RIP) P3P MS Passport

30 Privacy Invasive Technologies (the PITs) and Countermeasures Against Them
Cookie-Cutters Cookie-Managers Personal Data Managers Personal Intermediaries / Proxies Data Protection Tools Client-Side Security Tools Channel, Server, Proxy/Firewall Security Tools ...

31 Anonymity vs. Pseudonymity
Anonymity precludes association of data or a transaction with a particular person Pseudonymity creates barriers to association of data or a transaction with a particular person Pseudonymity balances Privacy and Accountability

32 Savage PETs – for Anonymity
Anonymous R ers (Mixmaster) Anonymous Web-Surfers (Crowds, Onion Routing) Anonymous Persona Management (LPWA) Anonymous Payment Mechanisms Other Intermediary Tools / Proxies Value Authentication without Identity ? Attribute Authentication without Identity ? ...

33 Gentle PETs – for Pseudonymity
Nicks, Handles, Personalities, Personae, Avatars Intermediary Tools / Proxies, Client-Agents: Pseudonymous Connections Pseudonymous R ers Pseudonymous Web-Surfers Pseudonymous Persona Management Value Authentication without Identity ? Attribute Authentication without Identity ? ...

34 Agenda (Id)entity Nymity Authentication Assertion Types
(Id)entifiers (Id)entification Biometrics Nymity Ano Pseudo Gentle PETs Authentication Assertion Types (Id)entity Authentication

35 There are many different kinds of assertions
Authentication The process of testing of an Assertion in order to establish a level of confidence in the Assertion’s reliability There are many different kinds of assertions

36 Kinds of Assertion Relevant to eBusiness
About Value About Attributes About Principal-Agent Relationships About Documents About Location About Identities About Entities

37 Authenticators Items of Evidence which have
value to an authentication process The demonstration of knowledge The demonstration of the ability to perform a particular act A Credential, with physical or digital existence, including a Token or a Document

38 Value Assertion Value is transferred to/from an (Id)entity or Nym ‘This bone‘s been aged in loam for three months’ Authentication of Value Assertions For Cash Release the goods only: For Cash On Delivery After Clearing the Cheque Against a Credit-Card Authorisation After a Debit-Card Transaction For Goods Inspect them Get them put into Escrow, for release by the Agent only when all conditions have been fulfilled

39 Authentication of Attribute Assertions
An Identity or Nym has a particular Attribute: Age / DoB before or after some Threshhold Disability, Health Condition, War Service Professional, Trade (or Dog) Qualification Authentication of Attribute Assertions ID-Card and DoB (may or may not record ID) Bearer Credential (ticket, disabled-driver sticker) Attribute Certificates (with or without ID)

40 Authentication of Agency Assertions
An (Id)entity or Nym – the Agent – has the legal authority to act on behalf of another (Id)entity or Nym – the Principal ‘I bark for ‘Spotty‘ here’ Authentication of Agency Assertions Power-of-Attorney (notarised?) Company Seal Letter of Introduction Entry in Register (e.g. of players’ agents)

41 Important Assertions About Documents
A driver’s licence with that serial-no. exists A naturalisation cert. with that content exists A birth cert. with that doc-id has not already been used to get a driver’s licence or passport ‘Authenticate the paper, not the person’

42 Authentication of Location Assertions
An (Id)entity or Nym is in a particular Location Authentication of Location Assertions CLI/CND, Call-Back GPS Global Positioning System MOLI Mobile Location Indicator in Mobile Phones RFID Radio-Frequency ID Tags (in Clothing?) Smart Dust?

43 Scope of the ‘Mobile’ Concept
Wide Area Networks – Cellular (line-of-sight, hence max. 20km per terrestrial cell) 1 – Analogue Cellular, e.g. AMPS, TACS 2 – Digital Cellular, e.g. GSM, CDMA 3 – ‘3G’, e.g. GSM/GPRS and W-CDMA Wide Area Networks – Satellite Large footprint, but very high latency (c. 2 secs) Local Area Networks (c m radius) e.g. IEEE /WiFi esp. 11b / Apple Airport Personal Area Networks (c metres) e.g. Bluetooth (or beamed infra-red)

44 The Technological History

45 The Implications of the Technology

46 Human Identity Authentication
The process of testing an Assertion that data should be associated with a particular Identity, in order to establish a level of confidence in the Assertion’s reliability ‘I’m ‘Blacky’, from No. 43 up the street’ ‘I’m the same dog you chatted to yesterday’ ...

47 Human Identity Authentication Establish confidence in the assertion by cross-check against one or more Authenticators, such as: What the Person Has (Credentials, incl. Tokens and Documents) e.g. a Physical Document, such as a Birth Certificate e.g. a Physical Token, such as an ‘ID-Card’, a Ticket e.g. a Digital Token, esp. a Digital Signature consistent with the Public Key attested to by a Digital Certificate What the Person Knows e.g. mother’s maiden name, Password, PIN What the Person Can Do e.g. effect a written signature, type a password in a consistent manner

48 Common Techniques used in Identity Authentication
Reputation Appearance Consistency Behaviour Consistency Check of Origin against Pre-Registered Addresses Call-Back to Pre-Registered Address Username/Password Pairs Multi-Factor – more identifiers, what you know, do, have Digital Signature – generated using a Private Key, stored in software / hardware, protected by a PIN / Biometric

49 UserName / Password Pairs Design Factors
Password Quality User Choice Length Requirements Content Restrictions Period of Use Enforced Change One-Time Use Transmission In Clear Hashed Encrypted, Public Key Encrypted, SSL Session Key Client-Side Storage Offline Open, Obscured In Software Open, Closed but Invokable, Obscured In Hardware Unstored Server-Side Storage Open Encrypted, Un/Readable Encrypted, Salted Hashed

50 Artefact (Id)entity Authentication
Entity Entifier Computer Processor-Id NICId as Proxy Mobile-Phone Mobile-Phone Id Identity Identifier Computer Process Process-Id, IP-Address SIM-Card SIM-Card Id

51 Organisational (Id)entity Authentication ‘Legal Persons’
Entities Bodies Politic Bodies Corporate Corporations Inc’d Associations Identities Business Names But they’re incorporeal !

52 Human Entity Authentication
The process of testing an Assertion that data should be associated with a particular Entity, in order to establish a level of confidence in the Assertion’s reliability Authentication of the Assertion depends on: a physical measure of the person comparison against a reference-measure ‘It’s me. Here smell this’

53 The Biometric Process

54 Categories of Biometric Application
AUTHENTICATION 1-to-1 / ref. measure from somewhere / tests ‘entity assertions’ Identification 1-to-many / ref. measures from a database that also contains data about population-members / generates an ‘entity assertion’ Vetting against a Blacklist 1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an ‘entity assertion’ Duplicate Detection 1-to-many / ref. measures of a large population / may create an assertion ‘person already enrolled’

55 Motivations Foreground Authorisations within a Context
Right to Perform a Function Creation of Suspicion Interception of 'Wanted Persons' Deterrence of People from Locations Background Collection of New Transaction Data People-Location and People-Tracking Creation / Enhancement of Biometrics Databases

56 The Authentication of Employee Identity Assertions
Impose measurement on many employees Compare Test-Measure Against Reference-Measure captured at enrolment (a 1-to-1 Authentication application) Do it many times Do it under time-pressure (bundy on/off)

57 The Identification of the Perpetrator of a Crime
Compare Test-Measure Against a Database (a 1-to-many Identification application) Latent Prints seldom reliably identify the Perpetrator Do it at leisure The People Sought may be: ‘Convicted Criminals’, with Biometrics Other Categories, with Biometrics People for whom no Biometrics are held

58 How To, and How Not To, Stop Mahommed Atta and Friends
Pre-Boarding: Biometric Identification: of Atta against a Population Database Biometric Authentication: of Atta against his own Card of Atta and Card against a Blacklist On Board Biometric Authentication: of Atta and Card against a Blacklist (where?) of Pilots, at the Controls of Aircrew, just outside the Cockpit Door

59 The Prevention of Terrorist Access to Aircraft
Compare Test-Measure Against a Stop-List (a 1-to-many Blacklist application) Do it many times Do it under time-pressure Many People Sought are not ‘Known’ Few People Sought have provided Biometrics There are no Reference-Measures for the People on the Stop-List

60 Biometrics and Single-Mission Terrorists
“Biometrics ... can’t reduce the threat of the suicide bomber or suicide jijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004) “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)

61 16 Kinds of Assertion Which May Need to be Authenticated
Identity: re artefacts re humans re organisations Entity: Document Attribute: with/without (id)entity Agency: of principal/agent Location: Value:

62 Recapitulation (Id)entity Nymity Authentication (Id)entifiers
(Id)entification Biometrics Nymity Ano Pseudo Gentle PETs Authentication Assertion Types (Id)entity Authentication

Download ppt "The Concepts of (Id)entity, Nymity and Authentication Roger Clarke, Xamax Consultancy, Canberra Visiting Professor/Fellow, Unis. of Hong Kong, U.N.S.W.,"

Similar presentations

Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and in Computer ANU.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and in Computer ANU.
Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.
Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
Copyright 2005 1 Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Uni. of Hong Kong, A.N.U. & U.N.S.W.

Copyright Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Uni. of Hong Kong, A.N.U. & U.N.S.W.
Copyright, 1995-2004 1 Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,

Copyright, Issues from Internet Technologies 1 – Internet Connected Devices Roger Clarke, Xamax Consultancy, Canberra Visiting Prof/Fellow,
Copyright 2005 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.

AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Confidentiality and Privacy Controls

Confidentiality and Privacy Controls
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction to ubiquitous security Kevin Wang. Scenario Take photos Ask position Position voice Time More information.

Introduction to ubiquitous security Kevin Wang. Scenario Take photos Ask position Position voice Time More information.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 24.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 24.
Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.

Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.

Similar presentations

Ads by Google