A smart card based solution for user- centric identity management - - PowerPoint PPT Presentation

a smart card based solution for user centric identity
SMART_READER_LITE
LIVE PREVIEW

A smart card based solution for user- centric identity management - - PowerPoint PPT Presentation

Apr 03, 2023 232 likes •465 views

A smart card based solution for user- centric identity management Jan Vossaert Researcher at KaHo Sint-Lieven Affiliated Researcher at KULeuven 1 Overview Introduction Approach Overview of the architecture Protocols

slide-1
SLIDE 1

A smart card based solution for user- centric identity management

1

Jan Vossaert Researcher at KaHo Sint-Lieven Affiliated Researcher at KULeuven

slide-2
SLIDE 2

Overview

  • Introduction
  • Approach
  • Overview of the architecture
  • Protocols
  • Implementation details
  • Evaluation
  • Future work

2

slide-3
SLIDE 3

Introduction

  • Traditonal mechanisms for authentication

– Password based solutions – X.509 certificates

  • Drawbacks

– Token management – Mobility of tokens – Personalized services

3

slide-4
SLIDE 4

Introduction

  • Solutions

– Federated identity management systems

  • Increased usability
  • No (or limited) user control
  • Identity provider can profile users
  • Web based
  • One identity provider
  • User impersonization
  • Weak login procedures

4

slide-5
SLIDE 5

Introduction

  • Solutions

– Electronic identity technology

  • Increased mobility
  • No (or limited) user control
  • Only immutable attributes
  • Security versus scalability

5

slide-6
SLIDE 6

Introduction

  • Challenges

– increased flexibility

  • Mutable attributes
  • Multiple identity providers

– user control

  • Personalisation

– online and offline services

  • Feasible revocation strategy

6

slide-7
SLIDE 7

Approach

  • Secure element is mediator between

– Identity providers – Service providers

  • Access to attributes controlled by

– external authorities: certificates – user: personalized policies at the card

SPi IDX

7

slide-8
SLIDE 8

Approach

  • Privacy properties

– No profiling

  • by identity providers
  • by collaborating service providers

– Access control to personal information

  • by audit authorities
  • by user

– No user impersonization

8

slide-9
SLIDE 9

Overview of the architecture

SPi SPj SPk IDX IDY IDZ SPl SPm (re)validation service certification authority audit service Deanon. service

(personalized)

policies Cached attributes keys and certificates lastValTime Service request Handler PIN based AC Time Handler

trusted module

user consent personalisation

9

slide-10
SLIDE 10

Overview of the architecture

  • Service provider certificate

– Keeps a list of access rights approved by audit authority – Keeps a list of trusted identity provider (groups)

  • Identity provider certificate

– Keeps a list of access rights

  • Public keys of root CAs are placed at the card

10

slide-11
SLIDE 11

Protocols

  • Card issuance

– Common secret keypair

  • Prevents profiling

– Card specific pseudonym

  • Used to generate service specific pseudonyms
  • Card revalidation

– Mutual authentication – Card releases chip number

  • IF stillValid THEN update lastValTime

ELSE block_card

11

slide-12
SLIDE 12

Protocols

  • Mutual authentication

– Mutual key agreement protocol – SP  CARD

  • lastValTime used to check validity of SP Certificate
  • Short-lived server certificates

– CARD  SP

  • proves to be genuine
  • lastValTime > accValTime

12

slide-13
SLIDE 13

Protocols

  • Access to (personalized) services

SPi IDX IDY IDZ

(personalized)

policies Cached attributes lastValTime

(1) mutual auth. (2)attribute_query Cert_SP (4)Attr query (5) PIN (7)release_attr’s Cert_P

  • maxRights
  • retention times for cached attributes
  • acceptable identity providers
  • ...

Service request Handler

(6)collect attributes (3)verify policy

13

slide-14
SLIDE 14

Protocols

  • Access to personalized services

– Special attribute  service specific pseudonym

  • nymIP = Hash(secret||CertSP.subject)
  • Deanonymization

– Releasing encrypted attributes – Can be decrypted by TTP

14

slide-15
SLIDE 15

Implementation details

  • Prototype on Gemalto TOP IM GX4 smart card

– Java Card 2.2.1 – Performance constraints – No clock – Authorisation

  • PIN based

15

slide-16
SLIDE 16

Implementation details

  • Certificates

– Standard X509 certificates

  • Authentication towards providers
  • Obtain derived card verifiable

certificates

– Custom card verifiable certificates

  • Trusted providers
  • Attribute ID list/Level of assurance

16

slide-17
SLIDE 17

Implementation details

  • Memory management

– No garbage collection – Cached attributes

  • Value/retention time/LOA/last time of

use/identity provider/…

  • Fixed set of byte arrays with variable

length

  • Least recently used update policy

– Static memory configuration

17

slide-18
SLIDE 18

Implementation details

  • Release attributes

– Cached attributes – Attribute  identity provider

  • Personalization policies

– Update policy based on PIN – Select cached attributes (persistent attributes) – Assign trust level to service providers – Assign sensitivity level to attributes

18

slide-19
SLIDE 19

Evaluation

  • Trust properties

– Card issuer knows common key pair BUT card-specific secret is not known by card issuer – Trust in workstation for user interaction BUT implementation in SIM possible

  • Scalability & flexibility

– Clear separation of duties – Representatives for set of identity providers – Flexible revocation strategy

19

slide-20
SLIDE 20

Evaluation

  • Controlled release of attributes

– Access control at multiple levels

  • certificates, user policies, user consent

– Limited value of attributes to SP – Proving properties of attributes – Encrypted attributes  accountability measures

  • Performance

– 2 identity providers: 3461 ms – 1 identity providers: 2287 ms – 0 identity providers: 1110 ms

20

slide-21
SLIDE 21

Future work

  • Building concrete services and identity providers
  • Integration in Web applications
  • Fine-grained access policies
  • From smart card to SIM, dedicated module, ...
  • Accurate performance results

21