A Framework For Identity Management - Gi
A framework for identitymanagement (ISO/IEC 24760)Information technology — Security techniques —A framework for identity managementPart 1: Terminology and conceptsPart 2: Reference architecture andrequirements.Prof. Dr. Kai RannenbergDeutsche Telekom Chair for Mobile Business & Multilateral SecurityGoethe University Frankfurtwww.m-chair.net
WGs within ISO/IEC JTC 1/SC 27 –IT Security TechniquesISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesAssessmentWG 3Security EvaluationWG 4Security Controls & ServicesGuidelinesTechniquesWG 1ISMSWG 2Cryptography &Security MechanismsProductSystemWG 5Identity Management& Privacy TechnologiesProcessEnvironment2
WG 5 Identity Management & Privacy TechnologiesHistoryISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesOctober 2003JTC 1 Plenary established JTC 1 Study Group on Privacy Technologies (SGPT) for one year period of time (until October 2004) toidentify standardization needsOctober 2004JTC 1 Plenary resolved to disband SGPT assign to SC 27 further activities in the PrivacyTechnologies area such as a further inventory a report back to the November 2006 JTC 1 Plenary3
WG 5 Identity Management & Privacy TechnologiesHistoryISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesSC 27 activities (in response to JTC 1‘s requestfrom October 2004) October 2004 Study Period on Identity Management established May 2005 Study Period on Privacy established New Work Item Proposal: A framework for identitymanagement (ISO/IEC 24760) May 2006 New Working Group 5 on Identity Management andPrivacy Technologies established Two new Work Item Proposals A privacy framework (ISO/IEC 29100) A privacy reference architecture (ISO/IEC 29101)4
WG 5 Identity Management & Privacy TechnologiesScopeISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Development and maintenance ofstandards and guidelines addressingsecurity aspects of Identity management Biometrics and Privacy5
WG 5 Identity Management & Privacy TechnologiesProgramme of WorkISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesFrameworks & Architectures A Framework for Identity Management (ISO/IEC 24760, IS, WD, WD)Privacy Framework (ISO/IEC 29100, IS)Privacy Architecture Framework (ISO/IEC 29101, CD)Entity Authentication Assurance Framework (ISO/IEC 29115 / ITU-T X.1254 (formerly X.eaa), DIS)A Framework for Access Management (ISO/IEC 29146, WD)Telebiometric authentication framework using biometric hardware security module (ITU-T X.bhsm ISO/IEC 17922, WD)Protection Concepts Biometric information protection (ISO/IEC 24745, IS) Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, CD)Guidance on Context and Assessment Authentication Context for Biometrics (ISO/IEC 24761, IS) Privacy Capability Assessment Model (ISO/IEC 29190, WD) Code of practice for data protection controls for public cloud computing services (ISO/IEC 27018,WD) Identity Proofing (NWIP) Privacy impact assessment – methodology (NWIP)6
WG 5 Identity Management & Privacy TechnologiesProgramme of WorkISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesFrameworks & Architectures A Framework for Identity Management(ISO/IEC 24760) Part 1: Terminology and concepts (IS) Part 2: Reference framework and requirements (WD) Part 3: Practice (WD) Privacy Framework(ISO/IEC 29100, IS) Privacy Architecture Framework(ISO/IEC 29101, CD)7
WG 5 Identity Management & Privacy TechnologiesProgramme of WorkISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy TechnologiesFrameworks & Architectures Entity Authentication Assurance Framework(ISO/IEC 29115 / ITU-T X.1254 (formerly X.eaa),FDIS) A Framework for Access Management(ISO/IEC 29146, WD) Telebiometric authentication framework usingbiometric hardware security module (ITU-TX.bhsm ISO/IEC 17922, WD)8
WG 5 Identity Management & Privacy TechnologiesProgramme of WorkISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies A Framework for Identity Management(ISO/IEC 24760) Part 1: Terminology and concepts (IS:2011) Part 2: Reference framework and requirements(WD) Part 3: Practice (WD)9
Identity Management (IdM)An early approachISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies „Fear not, for I have redeemed you;I have called you by name: you are mine.”[Isaiah 43:1] „Μη φοβου· διοτι εγω σε ελυτρωσα,σε εκαλεσα με το ονομα σου· εμου εισαι“[Ησαιαν 43:1] „No temas, porque yo te he redimido,te he llamado por tu nombre; mío eres tú.“[Isaías 43 1 ] „Fürchte dich nicht, denn ich habe dich erlöst;ich habe dich bei deinem Namen gerufen; du bist mein!“[Jesaja 43,1]10
Identity Management (IdM)2 sides of a medal with enormous economic potentialISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Organisations aim to sort out User Accounts in different ITsystems Authentication Rights management Access control Unified identitieshelp to ease administration manage customer relations Identity managementsystems ease single-sign-on by unifyaccounts solve the problems of multiplepasswords People live their life in different roles (professional,private, volunteer) using different identities(pseudonyms): email accounts,SIM cards, eBay trade names,chat names, 2ndLife names, ) Differentiated identitieshelp to protect privacy, especially anonymity personal security/safety enable reputation building at thesame time Identity management systems support users using role basedidentities help to present the “right” identityin the right context11
Identity Management (IdM)2 sides of a medal with enormous economic potentialISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies People live their life in different roles (professional,private, volunteer) using different identities(pseudonyms): emailaccounts, SIM cards, eBaytrade names, chat names,2ndLife names, ) Differentiated identitieshelp to protect privacy, especially anonymity personal security/safety Organisations aim to sort out User Accounts in different ITsystems Authentication Rights management Access control Unified identitieshelp to ease administration manage customer relations enable reputation building atthe same time Identity managementsystems support users using role basedidentities help to present the “right”identity in the right context Identity managementsystems ease single-sign-on by unifyaccounts solve the problems of multiplepasswords12
Identity ConceptsWorking Definitions Identity:The characteristics (attributes) representing an acting entity Partial identity:A subset of the characteristics of an identity ISO/IEC 24760:1 “A framework for identitymanagement – Part 1 Terminology and concepts”: Identity (partial identity): Set of attributes related to anentityWhy are partial identities important ?[BaMe05]. Different partial identities are assigned to and abstracted froman entity. The identity of an entity consists of partial identities distributedover different partners of the entity.13
Partial IdentitiesHealth AddressBirthplaceForeignLanguagesAliceIdentityof AlicePartialIdentityof Likes &DislikesPaymentDiners ClubDrivingLicenceTravelBoyfriendBobBased on [Clauß, Köhntopp 2001].Leisure14
Stages in the Identity lifecycleInternational standard ISO/IEC 24760-1:2011 defines the stages in thelifecycle of an identity in a particular domain.Figure 1 –Identity lifecycle.15
Nr.Topic1Scope2Normative references3Terms and definitions4Symbols and abbreviated terms5Identity6Attributes6Managing Identity nce10Implementation Aspects11Privacy Part 1: Table of Content.16
Nr. Topic1ScopePage12Normative references13Terms and definitions14Symbols and abbreviated terms25Reference architecture26Requirements107Annex A Legal and regulatory aspects(Informative) Part 2: Table of Content14.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements17
Nr.Topic5Reference 4Components86Requirements106.1Access to identity information106.2Identity information lifecycle management116.3Quality of identity information126.3.1General126.3.2Information adjustment126.4Time reference126.5IT security13 Clauses 5 & 6Reference architecture & RequirementsPage.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements18
rsactionactorPresents credentialsAllows capture of identity informationProvides level of assurance foridentity informationProvide additional identityIdentity registerinformationIdentity-information Provides verified information forstorageproviderReference-identifier If first registration, provides newunique identifiergeneratorSpecifies required levels of assurancefor particular identity information andRelying partythe mechanism(s) to validateassertionsIdentity-information Provides assertion on the level ofassurance of identity informationauthorityIdentity-information Requests reference identifierproviderProvides identity information to beused as reference ference-identifier Provides generated referenceidentifier.generatorrecipient 5.1 Overview – Possible flows ofidentity information (1/3)actionDetermines information to be retrievedfrom register and its level of assuranceVerifierPerforms verificationIdentity registerStores information indexed byreference identifier.Associates specified levels of assuranceIdentity-information and mechanisms with relying party.authorityRelying partyValidates assertionReference-identifier Generates reference identifiergeneratoValidates suitability of provided identyReference-identifier information as reference identifier.generatorGenerates reference identifier.Identity-information Associates reference identifier withother identity informationprovider.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements19
actorAugments identity information withassertion on the level of assuranceIdentity management Checks for identity informationauthorityupdatesNotifies the availability of new orPrincipalchanged identity informationIdentity management Authorizes information updateauthorityDefines updated identity informationIdentity-informationproviderProvisions updated information.Identity-informationproviderApply information processingoperationsRelying partyPrincipalrecipientactionStores information to effect statuschangeApplies updated information to itsservice processStores information to effect statuschangeGrants or denies provision service,specifies conditions.Records relying party as receiver ofprovisioning serviceApplies updated information to itsservice processConfirms the assertions meet itsrequirements for level of assuranceInforms on information updatesIdentity management If new information is relevant, initiatesauthorityidentity adjustment,Identity registerIdentity management authorityStores updated information indexed byreference identifierApplies updated information to itsRelying partyservice process.Identity-information Retains resultsproviderStores result of processing, possiblyRegisterupdating information in one or moreidentities.Identity registerInformation technology — Security techniques — A framework for identity management — Part 2: Reference architecture and entity management Decides on identity revocationIdentity registerauthorityIdentity-information Initiates provisioning of the revocationRelying partyproviderIdentity-management Activates new identityIdentity registerauthorityIdentity managementauthorityRelying partyRequests provisioning mation Transmits identity informationRelying adjustmentsource 5.1 Overview – Possible flows ofidentity information (2/3)20
ctorsourceactorsactionInforms on identity informationIdentity management processing.authoritySolicits authorization for processingactorPrincipalrecipient 5.1 Overview – Possible flows ofidentity information (3/3)actionGrants or denies information processingoperationsoperationsRequests information on identityIdentity management Provides requested informationPrincipalprocessing.authorityIdentity management Defines actions to be logged, incidentsIncorporate definitions in processAll actorsauthorityto be reported.implementationPrincipalRegisters complaintInvestigates complaintIdentity management Maintains log of management actionsauthorityMaintains log of data accessIdentity registeroperationsMaintains log of identity informationAuditorIdentity-informationReviews logs and incidentsrequests and information provisioningprovideractivitiesMaintains log of assurance assertionsIdentity-information providedauthorityReports on incidentsReports on findings.Identity management Adjust policies and procedures toAuditorimplement any recommended changes.authorityRecommends changes.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements21
Figure 1 presents the components is an identity management system. The figure also shows where an identity management system interfaces with 5.4 Identity Management systemcomponentsactors and principals.Figure 1 – Identity Management system components.22
Type 1Type 2Type 3Account Management:assigned identity( Tier 2)Profiling:derived identityabstracted identity( Tier 3)Management ofown identities:chosen identity( Tier 1)by organisationby organisationby user himselfsupported byservice providers[BaMe05]. There are hybrid systemsthat combine characteristics Identity Management:Types of IdM (Systems)23
Nr.Topic5Reference 4Components86Requirements106.1Access to identity information106.2Identity information lifecycle management116.3Quality of identity information126.3.1General126.3.2Information adjustment126.4Time reference126.5IT security13 Clauses 5 & 6Reference architecture & RequirementsPage.
6.2 Identity information lifecyclemanagementInternational standard ISO/IEC 24760-1:2011 defines the stages in thelifecycle of an identity in a particular domain as reproduced in Figure 2.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements.Figure 2 – Stages in the Identity lifecycle.25
Nr.Topic1Scope12Normative references13Terms and definitions14Symbols and abbreviated terms25Reference ion flow35.1.3Functions55.2Actors55.2.1Identity management authority55.2.2Identity-information authority65.2.3Identity-information provider6 Part 2: Table of Content(1/3)Page.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements26
3.3Generating reference identifier75.3.4Provisioning75.3.5Identity adjustment75.3.6Revocation85.3.7Identity information processing85.3.8Identity Information-processing tity register95.4.3Identity information capture95.4.4Reference-identifier generator95.4.5Identity information presentation and control9 Part 2: Table of Content(2/3)Page.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements27
Nr.Topic6Requirements106.1Access to identity information106.2Identity information lifecycle management116.2.1General116.2.2Identity information lifecycle policies116.2.3Labelling116.2.4Archived information116.2.5Deleted information116.3Quality of identity information126.3.1General126.3.2Information adjustment126.4Time reference126.5IT security13Annex A Legal and regulatory aspects (Informative) Part 2: Table of Content(3/3)Page14.Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements28
Summary & Outlook IS 24760-1 completed in 2011 after several years established important fundamentalconcepts, such as identity (partial identity)and attributes IS 24760-2 and IS 24760-3 will need a fewmore years (maybe till 2014). Next meeting of German mirror group of SC27/WG 5 on August 22 with public workshopon privacy topics on August 21 in Berlin.29
ReferencesABC4Trust: www.abc4trust.netKim Cameron, Reinhard Posch, Kai Rannenberg: Proposal for a common identity framework: A User-Centric IdentityMetasystem; Pp. 477 – 500 in [Rannenberg, Royer, Deuker 2009]Sebastian Clauß, Marit Köhntopp: Identity management and its support of multilateral security. Computer Networks, Volume37, Issue 2, October 2001, Pages 205-219Deutsche Telekom Chair of Mobile Business & Multilateral Security; www.m-chair.netFIDIS: Future of Identity in the Information Society; www.fidis.netFIDIS Deliverable 3.6: Study on ID Documents; 2006; www.fidis.netChristian Kahl, Katja Böttcher, Markus Tschersich, Stephan Heim, Kai Rannenberg: How to enhance Privacy and IdentityManagement for Mobile Communities: Approach and User driven Concepts of the PICOS Project; Pp. 277-288 in: KaiRannenberg, Vijay Varadharajan, Christian Weber: Security and Privacy – Silver Linings in the Cloud; Proceedings of 25th IFIPInternational Information Security Conference (IFIP SEC 2010), 20-23 September 2010, Brisbane, Australia, Springer IFIPAdvances in Information and Communication Technology Series, Vol. 330, ISBN 978-3-642-15256-6Ioannis Krontiris, Herbert Leitold, Reinhard Posch, Kai Rannenberg: eID Interoperability; Pp. 167-186 in: Walter Fumy,Manfred Paeschke (Eds.): Handbook of eID Security – Concepts, Practical Experiences, Technologies, Publicis, ISBN 978-389578-379-1ISO Freely Available Standards; ndards/index.htmlISO Online Browsing Platform incl. Terms & Definitions; www.iso.org/obp/ui/#homeISO/IEC JTC 1/SC 27/WG 5: Identity Management and Privacy Technologies; www.jtc1sc27.din.dePICOS: Privacy and Identity Management for Community Services; www.picos-project.euPRIME: Privacy and Identity Management for Europe; www.prime-project.euPrimeLife: Privacy and Identity Management for Life; www.primelife.euKai Rannenberg: Multilateral Security – A concept and examples for balanced security; Pp. 151-162 in: Proceedings of the 9thACM New Security Paradigms Workshop 2000, September 19-21, 2000 Cork, Ireland; ACM Press; ISBN 1-58113-260-3Kai Rannenberg: CamWebSim and Friends: Steps towards Personal Security Assistants; Pp. 173 - 176 in Viktor Seige et al.: TheTrends and Challenges of Modern Financial Services – Proceedings of the Information Security Summit; May 29-30, 2002,Prague; Tate International; ISBN 80-902858-5-6Kai Rannenberg: Identity management in mobile cellular networks and related applications; Information Security TechnicalReport; Vol. 9, No. 1; 2004; pp. 77 – 85; ISSN 1363-4127Kai Rannenberg, Denis Royer, Andre Deuker: The Future of Identity in the Information Society - Opportunities and Challenges;Springer 2009, ISBN 978-3-540-88480-4.30
A framework for identity management (ISO/IEC 24760) A framework for identity management Prof. Dr. Kai Rannenberg . 6.1 Access to identity information 10 6.2 Identity information lifecycle management 11 6.3 Quality of identity information 12 6.3.1 General 12
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
och krav. Maskinerna skriver ut upp till fyra tum breda etiketter med direkt termoteknik och termotransferteknik och är lämpliga för en lång rad användningsområden på vertikala marknader. TD-seriens professionella etikettskrivare för . skrivbordet. Brothers nya avancerade 4-tums etikettskrivare för skrivbordet är effektiva och enkla att
Den kanadensiska språkvetaren Jim Cummins har visat i sin forskning från år 1979 att det kan ta 1 till 3 år för att lära sig ett vardagsspråk och mellan 5 till 7 år för att behärska ett akademiskt språk.4 Han införde två begrepp för att beskriva elevernas språkliga kompetens: BI
CCSS Checklist—Grade 2 Writing 1 Teacher Created Resources Writing Text Types and Purposes Standard Date Taught Date Retaught Date Assessed Date Reassessed Notes ELA-Literacy.W.2.1 Write opinion pieces in which they introduce the topic or book they are writing about, state an opinion, supply reasons that support the opinion, use linking words (e.g., because, and, also) to connect opinion and .
