Federated Identity Management and Network Virtualization

Similar documents
3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

3GPP TR V7.0.0 ( )

PacketCable 2.0. HSS Technical Report PKT-TR-HSS-V RELEASED. Notice

ETSI TR V ( ) Technical Report

3GPP TS V9.2.0 ( )

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ETSI TS V ( )

ETSI TR V ( )

ETSI TS V (201

Efficient Application Single-Sign-On for Evolved Mobile Networks

3GPP support for IP based Emergency Calls - April 2007 Status

ETSI TS V9.2.0 ( ) Technical Specification

Security Common Functions Architecture

3GPP TS V7.6.0 ( )

3GPP TR V9.0.0 ( )

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

3GPP TS V6.9.0 ( )

Facing the Challenges of M2M Security and Privacy Phil Hawkes Principal Engineer at Qualcomm Inc. onem2m

ETSI TS V ( )

ETSI TS V6.4.0 ( )

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

ETSI TS V ( )

ETSI TS V (201

Open Standards and Interoperability for IP Multimedia Subsystem (IMS)

3GPP TS V ( )

Canadian Access Federation: Trust Assertion Document (TAD)

Identity Provider for SAP Single Sign-On and SAP Identity Management

3GPP TS V ( )

Canadian Access Federation: Trust Assertion Document (TAD)

3GPP TS V ( )

Kerberos for the Web Current State and Leverage Points

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Authentication. Katarina

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

ETSI TS V ( )

3GPP TSG SA WG3 Security SA3#33 S May 2004 Beijing, China

Integrating User Identity Management Systems with the Host Identity Protocol

Bridging IMS and Internet Identity

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

3GPP TS V8.1.0 ( )

Unsolicited Communication in the NGN

Bridging IMS and Internet Identity

IP Multimedia Subsystem Part 5 Marek Średniawa

ETSI TS V1.1.1 ( )

ETSI TR V1.1.1 ( )

ETSI TS V2.0.0 ( ) Technical Specification

ARIB STD-T V IMS based PSS and MBMS User Service; Protocols. (Release 9)

ArcGIS Server and Portal for ArcGIS An Introduction to Security

3GPP TR V7.0.0 ( )

Canadian Access Federation: Trust Assertion Document (TAD)

3GPP SIP Security Requirements for IETF

ETSI TS V8.2.0 ( ) Technical Specification

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Canadian Access Federation: Trust Assertion Document (TAD)

ETSI TS V7.4.0 ( )

Canadian Access Federation: Trust Assertion Document (TAD)

Location in SIP/IP Core (LOCSIP)

ETSI TR V (201

05/31/2010. Smart OpenID

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

3GPP TS V7.0.0 ( )

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

3GPP TS V ( )

IP MULTIMEDIA SUBSYSTEM (IMS) SECURITY MODEL

Communication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016

ETSI TS V ( )

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

ETSI TS V ( )

SSO Integration Overview

3GPP TR V ( )

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

NGN Security standards for Fixed-Mobile Convergence

ETSI TR V6.5.0 ( )

SAML-Based SSO Solution

3GPP TS V7.2.0 ( )

Canadian Access Federation: Trust Assertion Document (TAD)

Unsolicited Communication / SPIT / multimedia-spam

Canadian Access Federation: Trust Assertion Document (TAD)

IMS, NFV and Cloud-based Services BUILDING INTEGRATED CLOUD COMMUNICATION SERVICES

ETSI TS V ( )

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

3GPP TS V8.7.0 ( )

National Identity Exchange Federation. Terminology Reference. Version 1.0

3GPP TS V ( )

Identity Management. Rolf Blom Ericsson Research

Canadian Access Federation: Trust Assertion Document (TAD)

ETSI TS V ( )

3GPP security hot topics: LTE/SAE and Home (e)nb

Liberty Alliance Project

Canadian Access Federation: Trust Assertion Document (TAD)

ETSI TS V ( )

SMS Interworking with OMA Instant Messaging

ETSI TS V (201

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Orange Liberty-enabled solution for 71 million subscribers. Aude Pichelin Orange Group Standardisation Manager

The View From Service Layer

ETSI TS V ( ) Technical Specification

ETSI TS V1.2.2 ( )

Transcription:

Federated Identity Management and Network Virtualization Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop 10 April 2013 Sophia Antipolis, France The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.

Talk Outline Federated ID Management Today Towards Network Virtualization Problems and Requirements Service and Operator Co-operation Single Sign-On (SSO) in Network Virtualization Multi-factor Authentication Standardization Challenges 2

Federated ID Management Today Single Sign-On (SSO) Centralized AUTH server Reduces costs, makes user life easier, but requires highly critical auth 3GPP SA3 study item TR33.804 SSO for IMS OpenID: URI as the federated ID No central Certification Authority (CA) low trust & security levels Security Assertion Markup Language (SAML) XML-based open-standard data format Exchange auth data between an identity provider and a service provider Liberty Alliance ID mapping to different domains Complexity of multiple ID providers, SAML 3

Federated System Requirements Interoperate across organizational boundaries Utilize identity storage Manage security approaches, authentication and authorization Support different programming models Within a federated system, security and privacy is critical Identities/credentials are stored and managed separately Manage own identities Share and accept identities and credentials from other members' sources 4

NFV: Industry Momentum Source: Network Functions Virtualisation (White Paper, Oct. 2012) 5

Network Virtualization Scalability Experimental Heterogeneity Isolation Programmability Manageability Legacy Support Deployment Convergence Flexibility Stability 6

NFV ID Management: Problems Threat model in a virtualized network environment? Need to be defined May borrow ideas from cloud computing Virtualized Network No clear security boundary for distinct ID domains ID/credential secure storage Universally standardized authentication system in multi-domains Trusted partnership Operation isolation in virtualized environment 7

NFV ID Management: Requirements Authentication and Authorization Need to support multi-domain scenarios Federated Authentication, Proxy and Delegation Protect credentials ( via centralized or distributed management) User Privacy ID (and credentials) may need unlinkability in multi-domains Support anonymity as needed Secure Storage Information leakage of permanent secrets shall be prevented Extensibility Possibility of interworking with a larger range of service providers 8

Requirements (cont.) Isolation and Robustness Compromise of one service shall not compromise the security of another service Compromise of application server or an external server shall not compromise the security of the whole system Flexible Control for the Operator Control system-level security either by operating the system themselves or by contractual agreements with trusted partners In a telecommunication network, operators use HSS Interfaces should keep the complexity of HSS low Interacting with HSS should not lead to HSS information leakage 9

Example: SSO in 3GPP IMS 3GPP SA3 Study Item SSO for IMS based on SIP or GBA UE SP NFV may work on new architecture Gm Ub Ua Liberty Alliance Consider a new framework not based on IMS or GBA? Security of virtualized network SIP AS Isc IM Subsystem (IMS) using IMS AKA S-CSCF BSF GBA Subsystem IdP/ NAF Zn IMS: IP Multimedia Subsystem SIP: Session Initiation Protocol GBA: Generic Bootstrapping Architecture BSF: Bootstrapping Server Function NAF: Network Application Function Cx HSS Zh 3GPP TR 33.804 & 33.980 10

Service & Operator Cooperation Service OTT A Service OTT B Service OTT C An operator has an inherent advantage to managing user IDs Identity Identity Server Unify IDs for OTT service providers SP and IdP share their IDs w/o jeopardizing security HSS Operator Network In a virtualized network, Identity server may be further simplified User 11

Multi-factor Authentication Service OTT A Service OTT B Service OTT C Employ multi-factor authentication to enhance security Identity Identity Server Example: Service A becomes available only when AUTH succeeds from both the operator network and the user Token HSS Operator Network User Token A SSO and multi-factor AUTH for different service providers 12

Standardization Challenges To advance standardization for federated ID management, with consideration of future network virtualization, one may need to check Existing standards and frameworks Standardization organization to enroll with Define and clarify the threat model of federated ID management in NV Detailed security analysis is needed 13

Conclusion and Future Work Problems and requirements of Federated ID management in NV Co-operation between operators and service providers is needed for extending the capability of ID management Security mechanism in NV need to be carefully re-considered, including threat model and AUTH mechanism, etc. 14

Thank You! Yang Cui and Kostas Pentikousis cuiyang@huawei.com k.pentikousis@huawei.com The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback