joe pato, principal scientist trust, security & privacy hp labs guest lecture - cpsc 155b
DESCRIPTION
Identity Management: Enterprise, E-Commerce and Government applications and their implications for privacy. Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b 10 April 2003. Introduction. Future – Ubiquitous Computing Ginger Segue Identity Management - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/1.jpg)
Identity Management: Enterprise, E-Commerce and Government applications and their implications for privacy
Joe Pato, Principal ScientistTrust, Security & PrivacyHP Labs
Guest Lecture - CPSC 155b10 April 2003
![Page 2: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/2.jpg)
page 210 April 2003 (c) 2003 Hewlett-Packard
Introduction
• Future – Ubiquitous Computing– Ginger Segue
• Identity Management– What is Identity– Authentication– Enterprise / Internet / Government contexts
• Privacy Considerations
![Page 3: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/3.jpg)
page 310 April 2003 (c) 2003 Hewlett-Packard
Identity Management
Identity Management is:– the set of processes, tools and social contracts
surrounding• the creation
• maintenance
• and termination of a digital identity
– for people or, more generally, for systems and services – to enable secure access to an expanding set of systems
and applications.
![Page 4: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/4.jpg)
page 410 April 2003 (c) 2003 Hewlett-Packard
CreditBureau
Foo.com view of me
“The Aggregate Me”
Employer
view of me
“My view of me”Government view
Views of Identity
![Page 5: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/5.jpg)
page 510 April 2003 (c) 2003 Hewlett-Packard
Some Definitions
• Courtesy of
Who Goes There? Authentication Through the
Lens of Privacy
Committee on Authentication Technologies and Their Privacy Implications
Computer Science and Telecommunications BoardThe National Academies
Washington, D.C. http://cstb.org/
![Page 6: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/6.jpg)
page 610 April 2003 (c) 2003 Hewlett-Packard
Individual
An individual is a person.
![Page 7: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/7.jpg)
page 710 April 2003 (c) 2003 Hewlett-Packard
Identifier
An identifier identifies an individual.
“Lamont Cranston”
“Employee #512657”
![Page 8: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/8.jpg)
page 810 April 2003 (c) 2003 Hewlett-Packard
Attribute
An Attribute describes a property associated with an individual
![Page 9: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/9.jpg)
page 910 April 2003 (c) 2003 Hewlett-Packard
Identity
“The Shadow”
?“an identity of X” is the set of information about an individual X associated with that individual in a particular identity system Y
![Page 10: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/10.jpg)
page 1010 April 2003 (c) 2003 Hewlett-Packard
Identification
Identification is the process of using claimed or observed attributes of an individual
to infer who the individual is
![Page 11: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/11.jpg)
page 1110 April 2003 (c) 2003 Hewlett-Packard
Authenticator
An authenticator is evidence which is presented to support authentication of a claim.
It increases confidence in the truth of the claim
![Page 12: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/12.jpg)
page 1210 April 2003 (c) 2003 Hewlett-Packard
Authentication
Authentication is the process of establishing confidence in the truth of some claim
There are different types of authentication…
![Page 13: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/13.jpg)
page 1310 April 2003 (c) 2003 Hewlett-Packard
Attribute Authentication
Attribute Authentication is the process of establishing an understood level of confidence
that an attribute applies to a specific individual
!
![Page 14: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/14.jpg)
page 1410 April 2003 (c) 2003 Hewlett-Packard
Individual Authentication
Individual Authentication is the process of establishing an understood level of confidence that
an identifier refers to a specific individual
“Lamont Cranston”
!
![Page 15: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/15.jpg)
page 1510 April 2003 (c) 2003 Hewlett-Packard
Identity Authentication
Identity Authentication is the process of establishing an understood level of confidence
that an identifier refers to an identity
“The Shadow”
!
![Page 16: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/16.jpg)
page 1610 April 2003 (c) 2003 Hewlett-Packard
Authorization
Authorization is the process of deciding what an individual ought to be allowed to do
![Page 17: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/17.jpg)
page 1710 April 2003 (c) 2003 Hewlett-Packard
Internet vs. Enterprise
• Organizational control of population• Ability to issue tokens• Ability to mandate desktop software• Direct vs. network access• Scale of population• Privacy Issues
![Page 18: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/18.jpg)
page 1810 April 2003 (c) 2003 Hewlett-Packard
Government’s Unique Role
• Regulator, Issuer of identity documents, Relying Party
• Unique Relationship with Citizens– Many transactions are mandatory– Agencies cannot choose their markets– Relationships can be cradle-to-grave– Individuals may have higher expectations for
government• Provider of Services
– A common identifier may be in tension with principles of Privacy Act
![Page 19: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/19.jpg)
page 1910 April 2003 (c) 2003 Hewlett-Packard
Foundational Documents Pose Risks
• Many of these documents are very poor from a security perspective– Diverse issuers– No ongoing interest on part of issuer to ensure
validity/reliability• Birth certificates are particularly poor
– Should not be sole base identity document
![Page 20: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/20.jpg)
page 2010 April 2003 (c) 2003 Hewlett-Packard
Repository
Single Sign-On
Personalization Access Management
Provisioning Longevity
Policy Control
AuthenticationProvider
Auditing
Foundation
Lifecycle
Consumable
Identity Management Components
![Page 21: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/21.jpg)
page 2110 April 2003 (c) 2003 Hewlett-Packard
Authentication Technologies
• Passwords• Tokens• Smartcards• Biometrics• PKI• Kerberos
![Page 22: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/22.jpg)
page 2210 April 2003 (c) 2003 Hewlett-Packard
Federated Identity: Liberty Alliance
XML, SAML, XML-DSIG, WAP, HTML, WSS, WSDL, SOAP, SSL/TLS
Liberty Identity Federation Framework
(ID-FF)
Liberty Identity Services Interface
Specifications(ID-SIS)
Liberty Identity Web Services
Framework(ID-WSF)
![Page 23: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/23.jpg)
page 2310 April 2003 (c) 2003 Hewlett-Packard
Privacy
• Numerous philosophical approaches• Four types discussed here
– Information privacy– Bodily integrity– Decisional privacy– Communications privacy
![Page 24: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/24.jpg)
page 2410 April 2003 (c) 2003 Hewlett-Packard
General Privacy Implications
• Authentication can implicate privacy – the broader the scope, the greater the potential privacy impact
• Using a small number of identifiers across systems facilitates linkage, affects privacy
• Incentives to protect privacy are needed• Minimize linkage and secondary use
![Page 25: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/25.jpg)
page 2510 April 2003 (c) 2003 Hewlett-Packard
Multiple Stages at which Privacy is Affected
• Authentication, generally • Choice of Attribute• Selection of Identifier• Selection of Identity• The Act of Authentication• These are just in the design stage, before
transactional data collection, linkage, secondary use issues, etc.
• Chapter 7’s toolkit describes each of these in detail
![Page 26: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/26.jpg)
page 2610 April 2003 (c) 2003 Hewlett-Packard
1. Authentication’s Implications Separate from Technology:
• The act of authentication affects privacy, regardless of the technology used
• Requires some revelation and confirmation of personal information– Establishing an identifier or attribute– Potential transactional records– Possible exposure of information to parties not
involved in authentication
![Page 27: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/27.jpg)
page 2710 April 2003 (c) 2003 Hewlett-Packard
2. Attribute Choice Affects Privacy
• Informational privacy– Distinctive vs. more general– Minimize disclosure– Ensure data quality– Avoid widely-used attributes
• Decisional – If sensitive, may impinge willingness• Bodily integrity – If requires physical collection, may
be invasive• Communications – If attribute reveals address,
phone, network
![Page 28: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/28.jpg)
page 2810 April 2003 (c) 2003 Hewlett-Packard
3. Identifier Selection Affects Privacy
• Informational privacy– Identifier itself may be revealing– Will link to the individual
• Decisional – Fewer effects if random or if allows for pseudonymous participation
• Bodily integrity – Minimal effects• Communications – Problem if identifier is address or
number (telephone, IP address, etc.)
![Page 29: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/29.jpg)
page 2910 April 2003 (c) 2003 Hewlett-Packard
4. Identity Selection Affects Privacy
• Three possibilities– Identifier is only information available to the system– Identifier is not linked to information outside of the
system– Identifier may be linked to outside records
• Tracking transactional information poses risk to decisional privacy
• All issues related to identifier choice remain relevant here
![Page 30: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/30.jpg)
page 3010 April 2003 (c) 2003 Hewlett-Packard
5. Act of Authentication Affects Privacy
• Authentication usually accomplished by observing the user or requiring support of the claim
• Informational – If records are kept• Decisional – Intrusiveness and visibility may affect• Bodily Integrity – If close contact is required• Communications – If communication systems use is
required
![Page 31: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/31.jpg)
page 3110 April 2003 (c) 2003 Hewlett-Packard
Additional Issues
• When is authentication really necessary? • Secondary use of identifiers
– Without original system limits in mind, usage can become highly inappropriate
– This can lead to privacy and security problems, compromise original mission, and generate additional costs
• Explicit recognition of the appropriateness of multiple identities for individuals
• Usability– Design systems with human limits in mind!– Employ user-centered design methods
• Identity theft as a side effect of authentication system design choices
![Page 32: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/32.jpg)
page 3210 April 2003 (c) 2003 Hewlett-Packard
As for Nationwide Identity Systems…
• Driver’s licenses are a nationwide identity system
• The challenges are enormous– Inappropriate linkages and
secondary use likely without restrictions
• Biometrics databases and samples would need strong protection
• Any new proposals should be subject to analysis here and in IDs—Not That Easy
![Page 33: Joe Pato, Principal Scientist Trust, Security & Privacy HP Labs Guest Lecture - CPSC 155b](https://reader035.vdocuments.us/reader035/viewer/2022062803/5681467a550346895db39dd6/html5/thumbnails/33.jpg)
page 3310 April 2003 (c) 2003 Hewlett-Packard
Questions
???
Follow-up:
Joe Pato
HP Labs
One Cambridge Center – 11’th Floor
Cambridge, MA 02142