« Finding forgotten books | Main | DIDW: Identity theft »

26 October 2003

DIDW: A physical key

The Sandström family from Espoo, Finland, found their neighbour smiling from their TV because they'd failed to change the default password on their receiver.

Devices are network endpoints too, so must have identities of their own. Nico Popp (from VeriSign), speaking at Digital ID World, suggested that a range of credentials - and perhaps combined credentials - is required. He also argued that it makes sense to embed existing authentication methods in devices (e.g. smart card technology or USB in mobile devices) and combine management of access to networks with access to the physical world.

And what he proposed was not just an authentication device but a device with file encryption and signature capabilities, a personal data vault (Flash RAM), and physical access (RFID) as well.

My notes from his DIDW talk follow...

Nico Popp, A Physical key for a digital world

Identity theft:

  • Threat network effect
  • Aim is to reduce risk to physical theft (second factor)

    Federated networks:

  • Strong SSO
  • Strong identity to address (third party) ‘trust’ issues - dependency, liability

    Proliferation of devices (and rogue devices):

  • Not just people; devices are network endpoints too
  • Wi-Fis compound problem (no perimeter security)
  • Must give identity - and therefore access rules - to a device

    What defines the strength of an identity?

  • Strong verification
  • Strong credentials
  • Identity service provider security policies and best practices
  • Identity provider reputation (audit and compliance)

    Expensive to create, so economies of scale.

    Universal strong authentication:

  • Increasing network interaction requires stronger authentication. Blurring of public and private networks, all converging to IP (wired & wireless)
  • Proliferation of devices
  • People and devices
  • Cheaper, better, everywhere (no more static passwords)

    Must support range of credentials, and perhaps combined credentials.

    Embed existing authentication in devices (e.g. smart card technology or USB in mobile devices).

    Offline and online (from web SSO to passport visas) - combine management of access to networks with access to physical world.

    Propagating strong credentials requires industry collaboration (between chip & device manufacturers; platform vendors e.g. .NET; applications; integrators and customers).

    Goals: ubiquity, interoperability, accessibility

    Open technical blueprint:

  • Starting with a device. Flexible security device with combined authentication methods (OTP, PKI, SIM)
  • Common protocols framework. Network access apps, business apps and software platforms (authentication protocols: EAP and WS protocols)
  • Unified validation and provisioning architecture – legacy integration (e.g. LDAP), unification, federation

    Key concept 1: All-in-one devices

  • Multi-mode/multi-function devices (OTP-PKI-SIM mobile devices, smart cards and tokens)
  • Unplugged mode (one time password)
  • Plugged mode (USB or else)
  • Versatility use-case WIFI roaming (SIM), VPN (certificates)
  • Not just an authentication device – file encryption and signature capabilities, personal data vault (Flash RAM), physical access (RFID)

    Key concept 2: 802.1X Everywhere

  • One architecture for both wireless and wired networks
  • One strong credential for every device (desktop, servers, printers)
  • One 802.1X client on every device
  • One protocol (EAP-TLS because certificate is ‘natural’ device credential)
    Access rule for identity and device combination.

    Key concept 3: Built-in and activated on-demand

    Device-embedded credentials and clients (at time of manufacture)

    Universal strong authentication in the context of federated identity
    Assume identity assertion interoperability gets solved

  • Liberty/WS-federation standard convergence
  • Technical bridges
    Trust remains key issue. Identity federation created dependency and liability issues. These issues drive the need for strong identities that can be shared.

    Steps from identity management to federated identity management
    1. Directory and identity management
    2. Strong identity – stronger credentials
    3. Best practices – security, ops and privacy best practices
    4. Certification, compliance, audit and identity security services

    Posted at 12:45 PM in Identities for things | Permalink


    TrackBack URL for this entry:

    Listed below are links to weblogs that reference DIDW: A physical key: