Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted Systems Laboratory

Published byArturo Río Modified over 5 years ago

Similar presentations

Presentation on theme: "Trusted Systems Laboratory"— Presentation transcript:

1 Trusted Systems Laboratory
Hewlett-Packard Labs, Bristol, UK Adaptive Identity Management: Vision and Technology Development Overview Marco Casassa Mont Pete Bramhall

2 Identity Management Landscape
Identity Management is a Core Aspect in many different Contexts, but … Enterprise & Business Integration E-Commerce Different Competing Aspects and Perspectives: Web Service Frameworks enterprise focus vs. consumer focus mobility vs. centralisation legislation vs. self-regulation owners’ control vs. organisations’ control privacy vs. free market Government & Legislation Identity Management Privacy, Trust, Security Mobility Appliances, Devices No One Size Fits All … Policies 05/05/2019 Adaptive Identity Management - Technologies Overview

3 Adaptive Identity Management - Technologies Overview
Identity Aspects [1] Identity Information Multiple Attributes Multiple Views Multiple Contexts and Stakeholders Distributed Control Different degrees of Awareness Multiple Identities Associated to Entities (people, devices, services, etc.) 05/05/2019 Adaptive Identity Management - Technologies Overview

4 Adaptive Identity Management - Technologies Overview
Identity Aspects [2] Complexity of Identity Information Identity Information is Subject to Changes, over time 05/05/2019 Adaptive Identity Management - Technologies Overview

5 Current Identity Management
Identity Management is Part of a Complex Ecosystem Many Technology, Products, Solutions … Lack of Flexibility, Interoperability and Management Integration Smart Cards PKI IBE Web Services RBAC Biometrics TCPA/TCG NGSCB XML SAML Liberty Trusted Platforms EPAL P3P 05/05/2019 Adaptive Identity Management - Technologies Overview

6 Emerging Trends and Issues
On Demand, Adaptive Infrastructures Ubiquitous and Pervasive Computing Trusted Platforms and Systems Digital Rights Management Issues Privacy Identity Thefts and Frauds Lack Of Control Accountability Complexity 05/05/2019 Adaptive Identity Management - Technologies Overview

7 Emerging Requirements
Integration Rationalisation Flexibility Context Awareness Privacy Management Control Over Identity Flow Delegation Of Control Accountability Management Simplicity\Usability 05/05/2019 Adaptive Identity Management - Technologies Overview

8 Adaptive Identity Management - Technologies Overview
Our Vision Adaptive Identity Management 05/05/2019 Adaptive Identity Management - Technologies Overview

9 Vision: Adaptive Identity Management (AIM)
Core Properties Integrated and Collaborative Management of Identity Management Tasks Policy-Driven Management Context Awareness 05/05/2019 Adaptive Identity Management - Technologies Overview

10 Vision: Adaptive Identity Management (AIM)
Open API Standardisation Management Proxies Cooperation at different Levels of Abstraction Policy Languages Integration of Identity, Trust, Privacy, Security Aspects Delegation of Policy Refinement Scalability Across Boundaries and Domains 05/05/2019 Adaptive Identity Management - Technologies Overview

11 Moving Towards AIM: Accountable Identity and Privacy Management [1]
Privacy Protection via High-Level, Sticky Policies Accountability Enforcement via TTPs User Control Leverage IBE to Enforce Sticky Policies Leverage Trusted Platforms Leverage Tagged OS Leverage HSA 05/05/2019 Adaptive Identity Management - Technologies Overview

12 Moving Towards AIM: Accountable Identity and Privacy Management [2]
Integration of Multiple Constraints at Different Levels of Abstraction via Sticky Policies Authoring of Sticky Policies based on Templates and Policy Wizard 05/05/2019 Adaptive Identity Management - Technologies Overview

13 Technology Development
Overview 05/05/2019 Adaptive Identity Management - Technologies Overview

14 Hardware Security Appliance (HSA) Concept
Systems can be subverted HSA We are using such devices as service delivery mechanisms so that an independent service runs on the device. It has its own trust domain – it can be thought of as creating a virtual trust domain in the wider IT systems. To do this the service has its own identity and is configured with a set of policies defining who can administer and control this service (even remotely). In fact the ability to execute policies along with the standard HSM crypto functions. This combination of policy and keys is at the heart of many of the solutions so lets illustrate some of these solutions Of course being on trusted hardware this can be placed right next inside the IT infrastructure to whom services are being delivered. App Control Other Processes Worm Virus Hacker App Process policy HSA Service API System Server Administrator 05/05/2019 Adaptive Identity Management - Technologies Overview

15 HSA – Trust Domains IT Infrastructure HSA Based Service Service API
(Key use, Authentication, Authorisation, Audit.... Management Policies Service Identity Management Interface (Constrained by Policy) Signed Chain of Management events Network System Administrators Domain Service Administrator 05/05/2019 Adaptive Identity Management - Technologies Overview

16 TCPA/TCG - Implementation Status
Trusted Platform Modules (TPM) based on 1.1b specification available Atmel Infineon National Semiconductor Compliant PC platforms shipping now HP-Protect Tools Embedded Security available on D530 business desktops IBM ThinkPad notebooks and NetVista desktops Increasing application support RSA Secure ID, Checkpoint VPN, Verisign PTA National Infineon Atmel Note: Modules shown are for test & debug. Actual system implementation may vary. 05/05/2019 Adaptive Identity Management - Technologies Overview

17 Adaptive Identity Management - Technologies Overview
Secure Data Tagging Data comes with tags that reflect policies All data is tagged; the tag specifies how to handle data whether it is private, confidential, sensitive etc Works with standard applications Policy is enforced by the OS kernel irrespective of application behaviour Even a compromised application can’t leak your confidential data - a virus might send s on your behalf, but it can’t send any confidential data in them (it’ll be encrypted or never sent, depending on policy) Transparent and automatic application of policy to data No action is needed by users or applications for this to happen and there need be no change application or user behaviour 05/05/2019 Adaptive Identity Management - Technologies Overview

18 Policy distribution and enforcement
Policy Creation and Translation System policies created in dflow compiler Policy File in Internal Format Every tagging-aware device to be governed by a data usage policy In the ideal business environment, standard policies are published from a central location and dynamically propagated to policy aware devices Control Enforcement Tagged Data Decision Policy evaluation engine Flow causing operation yes, no, more checks 05/05/2019 Adaptive Identity Management - Technologies Overview

19 What is Identifier-based Encryption (IBE)?
It is an Emerging Cryptography Technology HP Approach based on Elliptic-Curve Crypography Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) Same Strength as RSA Usage: for Encryption/Decryption, Signatures, Role-based Applications, Policy Enforcement, etc. 05/05/2019 Adaptive Identity Management - Technologies Overview

20 Adaptive Identity Management - Technologies Overview
IBE Core Properties 1st Property: Any Kind of “String” (or Sequence of Bytes) Can Be Used as an IBE Encryption Key: for example a Role, Terms and Conditions, an Address, a Picture, a Disclosure Time 2nd Property: The Generation of IBE Decryption Keys Can Be Postponed in Time, even Long Time After the Generation of the Correspondent IBE Encryption Key 3rd Property: Reliance on at Least a Trust Authority (Trusted Third Party) for the Generation of IBE Decryption Key 05/05/2019 Adaptive Identity Management - Technologies Overview

21 IBE Three-Player Model
Alice Trust Authority Bob 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key 4 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 2 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 3 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 5 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. 6 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 1 05/05/2019 Adaptive Identity Management - Technologies Overview

22 Active Digital Credentials
Active Digital Credential: Up-to-Date Certified Information Integration of Procedures Within Digital Credentials to Retrieve Certified Up-to-Date Information along with its Trust Evaluation 05/05/2019 Adaptive Identity Management - Technologies Overview

23

Download ppt "Trusted Systems Laboratory"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.

Securing Information Transfer in Distributed Computing Environments AbdulRahman A. Namankani.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Identity Management Marco Casassa Mont Trusted E-Services Lab Hewlett-Packard Laboratories Bristol, UK June 2002.

Identity Management Marco Casassa Mont Trusted E-Services Lab Hewlett-Packard Laboratories Bristol, UK June 2002.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, 01-03 October 2002 Marco Casassa Mont Richard.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Similar presentations

Ads by Google