identity managment

NAME:ALANOUD SAAD ALQOUFIID:435920068SUPERVISOR:DR.AMEERAH

Identity Management

Introduction

صورة إلضافة الرمز فوق انقر

What is Identity Management

Broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources by associating user rights and restrictions with the established identity

What is Identity Management

Securing access to applications and information

Authentication: Proving you are who you say you are

Authorization: What you have access to, when, where

Identity Management life cycle

“Every beginning has its end”

Employee

Account

Join Move Leave

Create

Update

Maintenanc

eRemove

ILM 2007 User Provisioning

Why Identity management

Online activities involves interacting with a service provider

Each user have a digital identity Stores and manages such identities Store attributes associated with users Use attributes to facilitate authorization

Why Identity management important?

“Your identity is your most valuable possession.

Protect it. And if anything goes

wrong, use your powers!” – Elastigirl

Why Identity management important?

Number of identities continues to grow: Inside the company With other partners On cloud

Online identities managements problems

Service provider maintains a set of user identities

Users have many identities Users aren’t given control over their attributes

Existing work on identity management

Federated identity Single sign-on (SSO) Anonymous credentials Identity Mixer

Federated identity

Where the user stores their credentials Away to connect Identity Management

systems together A user's credentials are always stored

with the "home" organization ("identity provider“)

Identity provider solution

Single sign-on(SSO)

Session/user authentication process that permits a user to enter one name and password in order to access multiple applications.

Enterprise SSO (ESSO)

Enables organization to streamline both end-user management and enterprise-wide administration of single sign-on (SSO)

Anonymous credentials

Allow users to authenticate themselves in a privacy-preserving manner

Identity Mixer

Paper1: Federated Identity Management Systems:A Privacy-Based Characterization

صورة إلضافة الرمز فوق انقر

Privacy-driven approach

Focus on three privacy properties Undetectability: Concealing user actions Unlinkability: Concealing correlations between

combinations of actions and identities Confidentiality:Enabling users’ control over dissemination

of their attributes

Design Choices

UnlinkabilityCentralizedFederated

Decentralized

Undetectability Components

1. UsersEach user is associated with a person User characterized by : Identity Collection of attributes2. Service ProviderService providers authorize users.3. Identity ProvidersAn identity provider can be implemented as a standaloneparty or as a component of a user or service provider.

Example AttributeU.age = 25 Inherent qualities

U.employer= Example Co

Circumstances

U.shopping= true BehaviorsU.likes_ animals= true Inclinations

U.uid = 124 Arbitrarily assigned values

Traditional interaction

ISSUE?!

Active Client

CardSpace

Credential Based

Paper2: Reshaping Puzzles for Identity Management in Large-scale Distributed Systems

صورة إلضافة الرمز فوق انقر

large-scale identity management

Identity management has an important role for access control in a number of distributed systems

Examples: File sharing networks, Intrusion detection networks Other distributed computing systems

Lightweight identity management

Obtaining identities is often lightweight Ex. confirming an e-mail address Users can easily join these systemsIssue?!Minimum effort for (Sybil attack)

Security

Speed

Sybil

Shirley Ardell Mason has multiple personality disorder

Named after the subject of the book Sybil, a case study of a woman diagnosed with dissociative identity disorder

Distributed systems threat(Sybil Attack)

EX. create multiple websites with identical domain names with junk content and no quality content just to create spam and drive traffic.

lightweight process for creating new accounts, so that users can easily join Spread of fake accounts (Sybil attack)

Most recent Sybil

In social networks to establish trust relationships between users

Sybil Solution

Computational puzzles Used to defend against DOS attacks and email

spam One-way cryptographic functions that require

significant computational resources to find a solution

Paper Solution

Adaptive puzzles combined with waiting time long-term identity managementWhy? Minimally effort for honest users Energy consumption caused by puzzle-solving

Goal

Make it increasingly expensive for an attacker to control several identities.

Easier-to solve puzzles for honest users

Proposed identity management scheme

identities Protocol for obtaining

Proposed mathematical model

Computing the Trust Score of Identity Requests Measuring the Source and Network Recurrence Rates Defining the Puzzle Complexity Estimating the Wait Time Pricing Identity Requests/Renewals

Evaluation

PlanetLab evaluations shows: Duration of 168 hours 160,000 users 10,000 distinct sourcesEffectiveness of the Scheme in Mitigating Fake

Accounts

Evaluation

1. Attacker must dedicate a large amount of resources to control 1/3 of the identities

2. Honest users are minimally affected (being assigned easier-to-solve puzzles)

3. Overall energy consumption is lower

Evaluation

Proposed scheme limitation

Only limit the access to services Only improved 34% the mitigation of fake

accounts Not strongly authenticating users

Conclusion

Today: Centralized Identity Management What’s Next: Distributed / Federated ID?

Thank you Any Questions?