Federated Identity Management and Network Virtualization Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop 10 April 2013 Sophia Antipolis, France The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.
Talk Outline Federated ID Management Today Towards Network Virtualization Problems and Requirements Service and Operator Co-operation Single Sign-On (SSO) in Network Virtualization Multi-factor Authentication Standardization Challenges 2
Federated ID Management Today Single Sign-On (SSO) Centralized AUTH server Reduces costs, makes user life easier, but requires highly critical auth 3GPP SA3 study item TR33.804 SSO for IMS OpenID: URI as the federated ID No central Certification Authority (CA) low trust & security levels Security Assertion Markup Language (SAML) XML-based open-standard data format Exchange auth data between an identity provider and a service provider Liberty Alliance ID mapping to different domains Complexity of multiple ID providers, SAML 3
Federated System Requirements Interoperate across organizational boundaries Utilize identity storage Manage security approaches, authentication and authorization Support different programming models Within a federated system, security and privacy is critical Identities/credentials are stored and managed separately Manage own identities Share and accept identities and credentials from other members' sources 4
NFV: Industry Momentum Source: Network Functions Virtualisation (White Paper, Oct. 2012) 5
Network Virtualization Scalability Experimental Heterogeneity Isolation Programmability Manageability Legacy Support Deployment Convergence Flexibility Stability 6
NFV ID Management: Problems Threat model in a virtualized network environment? Need to be defined May borrow ideas from cloud computing Virtualized Network No clear security boundary for distinct ID domains ID/credential secure storage Universally standardized authentication system in multi-domains Trusted partnership Operation isolation in virtualized environment 7
NFV ID Management: Requirements Authentication and Authorization Need to support multi-domain scenarios Federated Authentication, Proxy and Delegation Protect credentials ( via centralized or distributed management) User Privacy ID (and credentials) may need unlinkability in multi-domains Support anonymity as needed Secure Storage Information leakage of permanent secrets shall be prevented Extensibility Possibility of interworking with a larger range of service providers 8
Requirements (cont.) Isolation and Robustness Compromise of one service shall not compromise the security of another service Compromise of application server or an external server shall not compromise the security of the whole system Flexible Control for the Operator Control system-level security either by operating the system themselves or by contractual agreements with trusted partners In a telecommunication network, operators use HSS Interfaces should keep the complexity of HSS low Interacting with HSS should not lead to HSS information leakage 9
Example: SSO in 3GPP IMS 3GPP SA3 Study Item SSO for IMS based on SIP or GBA UE SP NFV may work on new architecture Gm Ub Ua Liberty Alliance Consider a new framework not based on IMS or GBA? Security of virtualized network SIP AS Isc IM Subsystem (IMS) using IMS AKA S-CSCF BSF GBA Subsystem IdP/ NAF Zn IMS: IP Multimedia Subsystem SIP: Session Initiation Protocol GBA: Generic Bootstrapping Architecture BSF: Bootstrapping Server Function NAF: Network Application Function Cx HSS Zh 3GPP TR 33.804 & 33.980 10
Service & Operator Cooperation Service OTT A Service OTT B Service OTT C An operator has an inherent advantage to managing user IDs Identity Identity Server Unify IDs for OTT service providers SP and IdP share their IDs w/o jeopardizing security HSS Operator Network In a virtualized network, Identity server may be further simplified User 11
Multi-factor Authentication Service OTT A Service OTT B Service OTT C Employ multi-factor authentication to enhance security Identity Identity Server Example: Service A becomes available only when AUTH succeeds from both the operator network and the user Token HSS Operator Network User Token A SSO and multi-factor AUTH for different service providers 12
Standardization Challenges To advance standardization for federated ID management, with consideration of future network virtualization, one may need to check Existing standards and frameworks Standardization organization to enroll with Define and clarify the threat model of federated ID management in NV Detailed security analysis is needed 13
Conclusion and Future Work Problems and requirements of Federated ID management in NV Co-operation between operators and service providers is needed for extending the capability of ID management Security mechanism in NV need to be carefully re-considered, including threat model and AUTH mechanism, etc. 14
Thank You! Yang Cui and Kostas Pentikousis cuiyang@huawei.com k.pentikousis@huawei.com The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.