copyright 2005 1 roger clarke, xamax consultancy, canberra visiting professor, unis. of hong kong,...
TRANSCRIPT
Copyright2005
1
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../DV/NatID-BC-0602 {.html,.ppt}
7th Annual Privacy & Security ConferenceVictoria BC – 10 February 2006
(Id)entities Managementand Nym Management
for People not of People
Copyright2005
2
1. (Id)entities
Copyright2005
3
NamesCodes
Roles
Identifier + Data-Items
Identity andAttributesReal
WorldAbstract
World
Copyright2005
4
Entity andAttributesReal
WorldAbstract
WorldIdentifier
+ Data-ItemsIdentity andAttributes
Copyright2005
5
Entity andAttributesReal
WorldAbstract
WorldEntifier
+ Data-ItemsIdentifier
+ Data-ItemsIdentity andAttributes
Copyright2005
6
2. Identities Management
Copyright2005
7
User Access Securityfor a Single Application
ApplicationAccessControl
Copyright2005
8
Single-Organisation Single-SignOn
(aka Silo'd) Identity Management
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
Copyright2005
9
Multi-Organisation Single-SignOn Identity Management
Identity Management
Service
The Internet
The Organisation’s
Web-Sites
Copyright2005
10
Federated Identity Management
Identity Management
ServicesThe Internet
The Organisation’s
Web-Sites
Copyright2005
11
3. Identities Managementfor People not of People
Did you ever pause to consider that the expression
‘Identity Provider’
is Arrogant?
Copyright2005
12
Countermeasures by Individuals• Web-Forms can be filled with:
• pre-recorded data • convenient data• pseudo-random data • ‘false’ data
• Personal data can be automatically varied for each remote service, in order to detect data leakage, e.g. spelling-variants, numerical anagrams
• Personal data can be automatically varied for the same remote service on successive occasions (to pollute the data-store and confuse the userprofile)
• Users can exchange cookies, resulting in compound profiles rather than profiles that actually reflect an individual user's behaviour
Copyright2005
13
Identity Managementby a User-Selected Intermediary
The Internet
Identity Management
Services
The Organisation’s
Web-Sites
Copyright2005
14
User-Device Identity Management
The Internet
The Organisation’s
Web-Sites
Copyright2005
15
User-Proxy Identity Management
The Internet
Identity Management
Service
Handheld
The Organisation’s
Web-Sites
Copyright2005
16
The Multi-Mediated Super-Architecture
The Internet
Handheld
Federated,Multi-Organisation Single-SignOn I.M.
User-Selected Intermediary I.M.
Own-Device and Own-Proxy I.M.
The Organisation’s
Web-Sites
Identity Management
Service
The Organisation’s
Web-Sites
Silo’dSingle-Organisation Single-SignOn I.M.
Copyright2005
17
4. Nym Management
Copyright2005
18
Entity andAttributesReal
WorldAbstract
WorldEntifier
+ Data-ItemsIdentifier
+ Data-ItemsIdentity andAttributes
(Id)entities
Copyright2005
19
NymsEntity and
Attributes
Real
World
Abstract
World
Record:
E ntifier + Data-Items
Record:
Identifier + Data-Items
Identity and
Attributes
Record:
Nym + Data-Items
Identity and
Attributes
m
n
m
n
1
1 1
nn n
Copyright2005
20
NymOne or more attributes of an Identity(represented in transactions and records
as one or more data-items)sufficient to distinguish that Identity
from other instances of its classbut
not sufficient to enable association with a specific Entity
Pseudonym – association is not made, but possibleAnonym – association is not possible
Copyright2005
21
Some Mainstream Nymous Transactions
• Barter transactions• Visits to Enquiry
Counters in government agencies and shops
• Inspection of publications on library premises
• Telephone Enquiries• Access to Public
Documents by electronic means, at a kiosk or over the Internet
• Cash Transactions, incl. the myriad daily payments for inexpensive goods and services, gambling and road-tolls
• Voting in secret ballots• Treatment at discreet
clinics, particularly for sexually transmitted diseases
Copyright2005
22
Some Important Applications of Nymity
• Epidemiological Research (HIV/AIDS)
• Financial Exchanges, including dealing in commodities, stocks, shares, derivatives, and foreign currencies
• Nominee Trading and Ownership
• Banking Secrecy, incl. ‘Swiss’ / Austrian bank accounts
• Political Speech• Artistic Speech• Call Centres• Counselling
• Phone-calls with CLI• Internet Transactions• 'Anonymous' re-mailers• Chaumian eCash™
Copyright2005
23
Common Uses for Nymity
• Criminal purposes• Dissent and sedition• Scurrilous rumour-
mongering• To avoid being found by
people who wish to inflict physical harm (e.g. ex-criminal associates, religious zealots, over- enthusiastic fans, obsessive stalkers)
• To protect the sources of journalists, and whistle-blowers
• To avoid unjustified exposure of personal data
• To keep data out of the hands of marketing organisations
• To prevent government agencies using irrelevant and outdated information
Copyright2005
24
Nymality
aka ('also-known-as'), alias, avatar, character, nickname, nom de guerre,
nom de plume, manifestation, moniker, persona, personality, profile, pseudonym, pseudo-identifier, sobriquet, stage-name
Cyberpace has adopted, and spawned more:
account, alias, avatar, handle, nick, nickname, persona, personality
Copyright2005
25
Effective PseudonymityThe Necessary Protections
• Legal Protections• Organisational Protections• Technical Protections
• Over-ridability of ProtectionsBUT subject to conditions being satisified, esp.
• collusion among multiple parties• legal authority
Copyright2005
26
Privacy Enhancing Technologies (PETs)
• Counter-PITs• Savage PETs• Gentle PETs
• Pseudo-PETs
Copyright2005
27
Savage PETs
Deny identityProvide anonymity
Genuinely anonymous ('Mixmaster')
remailers, web-surfing tools,
ePayment mechanisms
Privacy Enhancing Technologies (PETs)
Copyright2005
28
Gentle PETs
Seek a balance between nymity
and accountability through
Protected Pseudonymity
Privacy Enhancing Technologies (PETs)
Copyright2005
29
6. Some Myths in the Authentication
and Identity Management Arena
• That the only assertions that need to be authenticated are assertions of identity(fact, value, attribute, agency and location)
• That individuals only have one identity
• That identity and entity are the same thing
• That biometric identification:
• works• is inevitable• doesn’t threaten
freedoms• will help much• will help at all in
counter-terrorism
Copyright2005
30
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor/Fellow, Unis. of Hong Kong, U.N.S.W.,
ANU
http://www.anu.edu.au/Roger.Clarke/......../DV/NatID-BC-0602 {.html,.ppt}
7th Annual Privacy & Security ConferenceVictoria BC – 10 February 2006
(Id)entities Managementand Nym Management
for People not of People
Copyright2005
31
Copyright2005
32
Anonymity vs. Pseudonymity
• Anonymity precludes association of data or a transaction with a particular person
• Pseudonymity creates barriers to association of data or a transaction with a particular personThe barriers are Legal, Organisational and TechnicalThe barriers can be over-riddenBUT conditions apply and are enforced, including:
• collusion among multiple parties• sanctions and enforcement
Copyright2005
33
Pseudonymous TransactionsThe Basic Principles
• Enable communications that do not require the client to identify themselves
• Conduct no authentication of identifiersleaving clients free to choose their identifier
• Protect the organisation against default or malperformance by the client (by ensuring that transaction risk is borne by the client)
Copyright2005
34
Pseudonymous TransactionsThe Challenge of Continuity
• Needs for Continuity arise:• within the context of a transaction
(e.g. repairs under warranty)• to associate successive transactions
(e.g. loyalty discounts)
• Although the identifier is a pseudonym:• Authentication is unaffected• Customers are still Customers
Copyright2005
35
Pseudonymous TransactionsThe Challenge of Payments
• Anonymous Payment Schemes work, e.g. DigiCash, but they have not achieved the breakthrough
• Schemes based on Credit-Cards dominate• Identified credit-card tx undermine pseudonymity
• Alternatives:• sponsor anonymous payments mechanisms• separate payment aspects of transactions
from the ordering and fulfilment aspects
Copyright2005
36
Pseudonymous TransactionsPotential Conflicts
• Customer Relationship Management
• 'Know Your Customer' Policieswhere organisations have become part of the national security machinery
• To perform their business functions effectively, organisations need to balance many interests, not simply succumb