NAME:ALANOUD SAAD ALQOUFIID:435920068SUPERVISOR:DR.AMEERAH
Identity Management
Introduction
صورة إلضافة الرمز فوق انقر
What is Identity Management
Broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources by associating user rights and restrictions with the established identity
What is Identity Management
Securing access to applications and information
Authentication: Proving you are who you say you are
Authorization: What you have access to, when, where
Identity Management life cycle
“Every beginning has its end”
Employee
Account
Join Move Leave
Create
Update
Maintenanc
eRemove
ILM 2007 User Provisioning
Why Identity management
Online activities involves interacting with a service provider
Each user have a digital identity Stores and manages such identities Store attributes associated with users Use attributes to facilitate authorization
Why Identity management important?
“Your identity is your most valuable possession.
Protect it. And if anything goes
wrong, use your powers!” – Elastigirl
Why Identity management important?
Number of identities continues to grow: Inside the company With other partners On cloud
Online identities managements problems
Service provider maintains a set of user identities
Users have many identities Users aren’t given control over their attributes
Existing work on identity management
Federated identity Single sign-on (SSO) Anonymous credentials Identity Mixer
Federated identity
Where the user stores their credentials Away to connect Identity Management
systems together A user's credentials are always stored
with the "home" organization ("identity provider“)
Identity provider solution
Single sign-on(SSO)
Session/user authentication process that permits a user to enter one name and password in order to access multiple applications.
Enterprise SSO (ESSO)
Enables organization to streamline both end-user management and enterprise-wide administration of single sign-on (SSO)
Anonymous credentials
Allow users to authenticate themselves in a privacy-preserving manner
Identity Mixer
Paper1: Federated Identity Management Systems:A Privacy-Based Characterization
صورة إلضافة الرمز فوق انقر
Privacy-driven approach
Focus on three privacy properties Undetectability: Concealing user actions Unlinkability: Concealing correlations between
combinations of actions and identities Confidentiality:Enabling users’ control over dissemination
of their attributes
Design Choices
UnlinkabilityCentralizedFederated
Decentralized
Undetectability Components
1. UsersEach user is associated with a person User characterized by : Identity Collection of attributes2. Service ProviderService providers authorize users.3. Identity ProvidersAn identity provider can be implemented as a standaloneparty or as a component of a user or service provider.
Example AttributeU.age = 25 Inherent qualities
U.employer= Example Co
Circumstances
U.shopping= true BehaviorsU.likes_ animals= true Inclinations
U.uid = 124 Arbitrarily assigned values
Traditional interaction
ISSUE?!
Active Client
CardSpace
Credential Based
Paper2: Reshaping Puzzles for Identity Management in Large-scale Distributed Systems
صورة إلضافة الرمز فوق انقر
large-scale identity management
Identity management has an important role for access control in a number of distributed systems
Examples: File sharing networks, Intrusion detection networks Other distributed computing systems
Lightweight identity management
Obtaining identities is often lightweight Ex. confirming an e-mail address Users can easily join these systemsIssue?!Minimum effort for (Sybil attack)
Security
Speed
Sybil
Shirley Ardell Mason has multiple personality disorder
Named after the subject of the book Sybil, a case study of a woman diagnosed with dissociative identity disorder
Distributed systems threat(Sybil Attack)
EX. create multiple websites with identical domain names with junk content and no quality content just to create spam and drive traffic.
lightweight process for creating new accounts, so that users can easily join Spread of fake accounts (Sybil attack)
Most recent Sybil
In social networks to establish trust relationships between users
Sybil Solution
Computational puzzles Used to defend against DOS attacks and email
spam One-way cryptographic functions that require
significant computational resources to find a solution
Paper Solution
Adaptive puzzles combined with waiting time long-term identity managementWhy? Minimally effort for honest users Energy consumption caused by puzzle-solving
Goal
Make it increasingly expensive for an attacker to control several identities.
Easier-to solve puzzles for honest users
Proposed identity management scheme
identities Protocol for obtaining
Proposed mathematical model
Computing the Trust Score of Identity Requests Measuring the Source and Network Recurrence Rates Defining the Puzzle Complexity Estimating the Wait Time Pricing Identity Requests/Renewals
Evaluation
PlanetLab evaluations shows: Duration of 168 hours 160,000 users 10,000 distinct sourcesEffectiveness of the Scheme in Mitigating Fake
Accounts
Evaluation
1. Attacker must dedicate a large amount of resources to control 1/3 of the identities
2. Honest users are minimally affected (being assigned easier-to-solve puzzles)
3. Overall energy consumption is lower
Evaluation
Proposed scheme limitation
Only limit the access to services Only improved 34% the mitigation of fake
accounts Not strongly authenticating users
Conclusion
Today: Centralized Identity Management What’s Next: Distributed / Federated ID?
Thank you Any Questions?
Recommended