Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands.

Published byBarry Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands."— Presentation transcript:

1 The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands

2 2 © Copyright 2004, Credentica Part I The evolution of conventional I&AM

3 3 © Copyright 2004, Credentica Set-up: Identity enrolment & provisioning I:  I: a 1, a 2, … AS IdS I I RP I&AM set-up: Enrollment in Identity Server (IdS) Provisioning in Attribute Server (AS) Identity Token issuance Next slides: Access to Resource Provider (RP)

4 4 © Copyright 2004, Credentica RP Phase 0: Intra-enterprise I&AM (today) I:  I: a 1, a 2, … AS IdS yes/no I Security Privacy Other

5 5 © Copyright 2004, Credentica RP Phase 1: Access by “extended” user (today) I:  I: a 1, a 2, … AS IdS yes/no I Security Privacy Other No access privacy

6 6 © Copyright 2004, Credentica Phase 2: Federated access (in progress …) AS RP IdS RP ? ? = Security Privacy RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation

7 7 © Copyright 2004, Credentica Phase 3: Federated I&AM (a la SAML) AS RP IdS RP Security Privacy RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Privacy legislation Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation

8 8 © Copyright 2004, Credentica Phase 3: Federated I&AM (a la SAML) AS RP IdS RP Security Privacy RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Privacy legislation Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation Scalability

9 9 © Copyright 2004, Credentica Phase 4: Data sharing a la Liberty Alliance AS RP IdS RP RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Privacy legislation Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation Scalability Privacy Security

10 10 © Copyright 2004, Credentica Phase 5: Cross-federated I&AM (not yet …) RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Privacy legislation Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation Scalability Privacy Security

11 11 © Copyright 2004, Credentica Phase 5: Cross-federated I&AM (not yet …) IdP Security Privacy RP can trace User IdS can trace User IdS can monitor RP IdS cross-profiling Privacy legislation Availability Insider fraud IdS & AS exposed Denial of service Other RP–IdS/AS relation Scalability

12 12 © Copyright 2004, Credentica Part II Solution with Digital Credentials

13 13 © Copyright 2004, Credentica Digital Credentials The digital equivalent of real-world objects issued by “trusted” issuers: Driver licenses, passports, stamps, coupons, entitlements, cash, ballots, credit report data, health record entries, …. New “credentials” that have no real-world equivalent Unique security, privacy, and efficiency features Independent “sliders” – pick according to application needs Traditional digital certificate techniques do not work – Inescapable systemic identification, security problems, inefficient – Note: Encryption only protects against content wiretapping Security is tied to the “attribute” data itself, so that the credential information can flow anywhere Accomplished through modern cryptographic techniques

14 14 © Copyright 2004, Credentica Life-cycle of a Digital Credential Alice American 23 y.o. Married Teacher RACA Verifier 3 rd party User Alice American 23 y.o. Married Teacher Alice American 23 y.o. Married Teacher Registration Authority can prepare a DC with some verified user attributes. Can hide the attributes before passing the DC to the CA. CA can add some more attributes and then certifies the DC. User knows all the attributes. User can disclose a subset of the attributes to a verifier. Verifier can prove the transaction to a 3 rd party. It can also hide some disclosed attributes.

15 15 © Copyright 2004, Credentica Alice Smith Token-specific information Example: privacy-friendly CRL Verifier “Bob Barker” “Dan Daniels” “Hilary Heintz” “Ed Edwards” “Max Murray” “Frank Foster” “Charlie Colm” “George Gosp” BLACKLIST Alic e Token-specific information

16 16 © Copyright 2004, Credentica Example: privacy-friendly blacklist Verifier “Bob Barker” “Dan Daniels” “Hilary Heintz” “Ed Edwards” “Frank Foster” “Charlie Colm” “George Gosp” BLACKLIST Alic e Token-specific information “Alice Smith” Alice Smith

17 17 © Copyright 2004, Credentica Non-intrusive account linking I:  I: a 1, a 2, … AS IdS John D = Y j 1, j 2, … Doe, J = X d 1, d 2, … RP I I I I IXY

18 18 © Copyright 2004, Credentica Non-intrusive data sharing across accounts I:  I: a 1, a 2, … AS IdS John D = Y j 1, j 2, … Doe, J = d 1, d 2, … RP XY j 1, j 2, … j1j2j1j2 j2j2 j1j2j1j2 X

19 19 © Copyright 2004, Credentica Federated access control I:  I: a 1, a 2, … AS IdS Doe, J = X d 1, d 2, … RP John D = Y j 1, j 2, … RP j1j2j1j2 z1z2z1z2 v1v2v1v2 X yes/no j1j2j1j2 z1z2z1z2 v1v2v1v2

20 20 © Copyright 2004, Credentica Federated security services I:  I: a 1, a 2, … AS IdS Doe, J = X d 1, d 2, … RP John D = Y j 1, j 2, … RP IIIIII IIIIII CRL Y Y X ABUSE CRL X = Y

Download ppt "The Evolution of Identity Management February 18, 2005 © Copyright 2004, Credentica – all rights reserved Dr. Stefan Brands."

Similar presentations

The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.

The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.
HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Thomas Myrup Kristensen EU Internet Policy Director Microsoft Corporation

Thomas Myrup Kristensen EU Internet Policy Director Microsoft Corporation
Dating Portal showcase Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007.

Dating Portal showcase Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.

AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.
Xavier Verhaeghe Vice President Oracle Security Solutions

Xavier Verhaeghe Vice President Oracle Security Solutions
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Copyright © Microsoft Corporation. All Rights Reserved. Kantara Paris October 2010 Presented By: Kim Cameron Chief Architect of Identity Microsoft.

Copyright © Microsoft Corporation. All Rights Reserved. Kantara Paris October 2010 Presented By: Kim Cameron Chief Architect of Identity Microsoft.
7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.

7/11/2011Pomcor 1 Pros and Cons of U-Prove, Idemix and Other Privacy-Enhancing Technologies Francisco Corella Karen Lewison Pomcor.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Privacy and Identity Authentication © Copyright 2004, Credentica Inc. All Rights Reserved. Dr. Stefan Brands Credentica & McGill School of Computer Science.

Privacy and Identity Authentication © Copyright 2004, Credentica Inc. All Rights Reserved. Dr. Stefan Brands Credentica & McGill School of Computer Science.
2003 1 Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.

Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Identity: Setting the Larger Context, Achieving the Right Outcomes Copyright © 2006, 9112-1772 Quebec Inc. 7th Annual Privacy and Security Workshop & 15th.

Identity: Setting the Larger Context, Achieving the Right Outcomes Copyright © 2006, Quebec Inc. 7th Annual Privacy and Security Workshop & 15th.
Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”

Government Online – White Paper Companion – Copyright © 2007 Credentica Inc. All Rights Reserved. This presentation is animated. Press the “space bar”

Similar presentations

Ads by Google