Olli Jussila Adaptive R&D TeliaSonera

Transcription

1 Olli Jussila Adaptive R&D TeliaSonera

2 Agenda TeliaSonera at a glance Project presentation Technical results Business model and actor benefits End user experience Dissemination activities Conclusion 23/02/07 Page 2

3 The Nordic and Baltic leader in telecommunications N O R W A Y F I N L A N D Net sales 2006 EUR 9790 million Strong positions in mobile in Eurasia, Russia and Turkey through subsidiaries and associated companies D E N M A R K 23.5 million customers E S T O N I A L A T V I A Mobile services launched in Spain at the end of 2006 S W E D E N L I T H U A N I A Number of employees: 28,000 Number of Customers as of December, 2006

4 Identity Management Nightmare! Multiple accounts, multiple credentials everywhere 23/02/07 Page 4

5 The Liberty solution Id-ff Sign on s with my IDP account Identifiers 1 Circle of trust Share My personal information Id-wsf IDP Identity Provider 3 W Attribute Provider Profiles Service Provider Service Provider Single Sign On 2 To other website Id-ff 23/02/07 Page 5

6 FIDELITY project assumptions Potential Identity Providers and Circles of Trust are numerous Users will navigate among these Circles of Trust One CoT should be able to establish trust relations with another CoT to allow Identity roaming 23/02/07 Page 6

7 FIDELITY project in a nutshell Set up 4 heterogeneous Circles of Trust Deploy strong authentication mechanisms Demonstrate the inter-operability of these Circles of Trust regarding: Liberty Alliance technical specifications Business model EU legal constraints User experience Provide standardisation and implementation contributions 23/02/07 Page 7

8 FIDELITY project members 4 telcos, setting up the CoTs : France Telecom, Amena, Telenor, TeliaSonera 3 industrial partners, providing ID platforms and software Ericsson, Gemalto, Italtel 3 SMEs, and 1 university, providing specific skills and software TB-Security, Linus, Moviquity, Oslo university college 23/02/07 Page 8

9 FIDELITY final results Technical results 23/02/07 Page 9

10 Implementation of principal COTs/interCOT infrastructure and services The four CoTs in France, Finland, Norway and Spain have been established. Each CoT has an Identity Provider some Service Providers with Web service consumers WSC and some Attribute Providers (Web service providers W) In each COT: ID-FF V1.2 (Identity Federation and SSO) has been fully tested ID-WSF V1.1(Identity Web Service Framework) has been tested Product from different vendors have been used in order to test interoperability of Liberty software implementation 23/02/07 Page 10

11 Architecture and Information flow (simplified view) Service Provider with WSC V-IdP V-CoT V-DS 1. A user access a service 2. re-directs user to V-IDP 3. V-IDP re-directs/proxies user to H- IDP 4. H-IDP maps the authentication context request of V-IDP and authenticates a user Auth. assertion including DS info is returned and to V-IDP and V H-CoT 7-8. (WSC) requests end point of H-W from H-DS. 4 H-IdP H-DS H- W (WSC) requests service from H-W 11. According privacy settings H-W initiates user-consent process via and Interaction service. W is also able to request stronger authentication via WSC/ 23/02/07 Page 11

12 The French CoT Book a Hotel Student exchange Where Restaurant Wallet Attribute registration registration IDP IDP Technical Identity Provider User/passord EAP/SIM + password Software PKI DS W Wallet Profile W Personal Profile W Geolocation Profile 23/02/07 Page 12

13 The Finnish CoT Where Restaurant Register with a mobile Privacy Manager User/passord OT sms (+ password) WPKI Book A Hotel EAP / SIM IDP / DS Identity Provider GPRS HLR W Wallet Profile W Personal Profile W Geoloc Profile W Calendar Profile W Student Profile 23/02/07 Page 13

14 InterCoT Single Sign On Authentication Contexts Level Strong Moderate Basic Methods PC PKI Mobile WPKI PC egate EMV PC + Mobile OTP Mobile TP ISO OTP Mobile USB OTP PC EAP/SIM PC 3.48/SIM GPRS authentication Plain UserID/password SSL UserID/password Supported? YES YES YES YES 7. Mobile USB-OTP 4. PC EAP/SIM please? Level Strong Moderate Basic Methods PC PKI Mobile WPKI PC egate EMV PC + Mobile OTP Mobile TP ISO OTP Mobile USB OTP PC EAP/SIM PC 3.48/SIM GPRS authentication Plain UserID/password SSL UserID/password Supported? YES YES YES YES 5. Some other from the same level? 8.Authenticated ok, empty context Or V- V-IDP H-IDP Requested context PC EAP/SIM please? 1. User accesses service provider User Agent 6. Authentication with the user 23/02/07 Page 14

15 InterCoT attribute sharing (ID-WSF) InterCoT Discovery Service Direct Access. By using this method, the V-WSC requests directly the Discovery Service of the H-CoT (H-DS) DS-proxying. By using this method, the Discovery Service of the V-CoT (V-DS) acts as a DS-proxy between the V-WSC and the H-DS. DS-chaining. By using this method, the V-WSC requests first the V-DS which redirects it to the H-DS. Tested If direct access is used, then we recommend the deployment of a Trust model based on PKI 23/02/07 Page 15

16 ID-WSF trust model for attribute sharing IntraCoT vs. InterCoT In IntraCoT, every (H-) (H-)W pair has a direct business agreement implying direct trust relationship Technically, the trust between ID-WSF entities is established by exchanging metadatas on a bilateral basis In InterCoT, the business agreements are established only between IDPs but there is no direct business relationship between V- and H- W Technically, exchanging metadatas between every V- H-W pair would be far too exhaustive provisioning of metadatas would require too much effort Fidelity PKI trust model enables business model for InterCoT attribute sharing between V- and H-W Technically, this is implemented by using hierarchical certificate path validation (RFC3280) 23/02/07 Page 16

17 InterCoT Relationship Establishment CA certificate exchange Root CoT CA Root W IDP 1 CoT CA IDP 2 W IDPs exchange the CA certificate chains, and delivers them to their other IntraCoT entities (s and Ws) 23/02/07 Page 17

18 InterCoT Relationship Establishment Root CA cert Compliant with RFC3280 CoT CA cert is associated with trusts CoT CA cert W includes / WSC CoT CRL Home CoT Service request Visited CoT Certification revocation status check 23/02/07 Page 18

19 FIDELITY final results Business Scenarios, Actors benefits 23/02/07 Page 19

20 Business scenarios Closed Scenario: Single Company IDP and IDs IDP IDs Open Scenario: Telecom as IDP for external Inter-CoT Scenario: Telecom Operator alliances with internal and external s IDs IDP IDs Inter-CoT Scenario Multidomains Multi domain IDP alliances with internal and external s IDs IDP IDs 23/02/07 Page 20

21 Actors Benefits Identity Provider Large user base Attract new user Enforce their trust relation with the user Offer (sell) strong and complex authentication methods Service Providers Attract users Simplify local user management Use Strong authentication Rely on user identity attributes User Simple and secure authentication Ease of attribute management, control of data dissemination Respect of his privacy The virtuous circle : More users More services 23/02/07 Page 21

22 FIDELITY final results End User Experience 23/02/07 Page 22

23 Circle of Trust (CoT) and Circle of CoT (CoCoT) Concepts explanation and representation Explain to the user what is a CoT, what is CoCoT Represent concepts with pictures: CoCoT logo/brand Master Key = IDP credentials CoT logo/brand Key = credentials CoT Homepage Disclaimer SSO description Attribute sharing description List of the belonging to the CoT Map of the CoT and the CoT's partners (CoCoT) Registration area Personal area for registered users 23/02/07 Page 23

24 FIDELITY final results Dissemination activities 23/02/07 Page 24

25 Fidelity: Dissemination Advisory Boards in each telco Liberty Meetings (plenary, TEG) 3GSM World Congress 2007 IST 2006 E challenge ISSE in Roma Internet Global Congress Barcelona Security and identity management event in Barcelone France Telecom R&D result event in Paris Telecom I+D, Madrid Celtic and Eureka events Website : Demo Kit : Public documents : Standardization activities (Wallet + calendar ID-WSF Serv. Interf. spec) 23/02/07 Page 25

26 Conclusion of the FIDELITY project From a technical, business, legal and ergonomic point of view, Liberty solves the IDM issue and can be extended to InterCoT. But read our public recommendations anyway The very good cooperation and acceptance between all partners was the basis for the success of the project. The consortium is satisfied with the results obtained and will now begin to exploit them. 23/02/07 Page 26

27 Thank you for your attention Any questions? 23/02/07 Page 27