Federated Identity Management and Network Virtualization

Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop

10 April 2013

Sophia Antipolis, France

The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.

Talk Outline

• Federated ID Management Today

• Towards Network Virtualization

• Problems and Requirements

• Service Provider and Operator Co-operation

• Single Sign-On (SSO) in Network Virtualization

• Multi-factor Authentication

• Standardization Challenges

2

Federated ID Management Today

• Single Sign-On (SSO) – Centralized AUTH server

• Reduces costs, makes user life easier, but requires highly critical auth

– 3GPP SA3 study item –TR33.804 SSO for IMS

• OpenID: URI as the federated ID

– No central Certification Authority (CA) low trust & security levels

• Security Assertion Markup Language (SAML) – XML-based open-standard data format

• Exchange auth data between an identity provider and a service provider

• Liberty Alliance – ID mapping to different domains

– Complexity of multiple ID providers, SAML

3

Federated System Requirements

• Interoperate across organizational boundaries

• Utilize identity storage

• Manage security approaches, authentication and authorization

• Support different programming models

• Within a federated system, security and privacy is critical – Identities/credentials are stored and managed separately

– Manage own identities

– Share and accept identities and credentials from other members' sources

4

NFV: Industry Momentum

5 Source: Network Functions Virtualisation (White Paper, Oct. 2012)

Network Virtualization

6

Scalability Experimental Heterogeneity

Isolation Programmability Manageability Legacy Support

Deployment Flexibility

Convergence Stability

NFV ID Management: Problems

• Threat model in a virtualized network environment? – Need to be defined

– May borrow ideas from cloud computing

• Virtualized Network – No clear security boundary for distinct ID domains

– ID/credential secure storage

– Universally standardized authentication system in multi-domains

– Trusted partnership

– Operation isolation in virtualized environment

7

NFV ID Management: Requirements

• Authentication and Authorization – Need to support multi-domain scenarios

– Federated Authentication, Proxy and Delegation

– Protect credentials ( via centralized or distributed management)

• User Privacy – ID (and credentials) may need unlinkability in multi-domains

– Support anonymity as needed

• Secure Storage – Information leakage of permanent secrets shall be prevented

• Extensibility – Possibility of interworking with a larger range of service providers

8

Requirements (cont.)

• Isolation and Robustness – Compromise of one service shall not compromise the security of

another service

– Compromise of application server or an external server shall not compromise the security of the whole system

• Flexible Control for the Operator – Control system-level security either by operating the system

themselves or by contractual agreements with trusted partners

• In a telecommunication network, operators use HSS – Interfaces should keep the complexity of HSS low

– Interacting with HSS should not lead to HSS information leakage

9

Example: SSO in 3GPP IMS

• 3GPP SA3 Study Item SSO for IMS based on SIP or GBA

• NFV may work on new architecture

• Consider a new framework not based on IMS or GBA?

• Security of virtualized network

10

IM Subsystem

(IMS)

using IMS AKA

UE

S-CSCF

HSS

SIP

AS GBA

Subsystem

IdP/

NAF

Isc

Cx

Gm

Zh

Ub Ua

BSF

Zn

SP

Liberty

Alliance

3GPP TR 33.804 & 33.980

IMS: IP Multimedia Subsystem SIP: Session Initiation Protocol GBA: Generic Bootstrapping Architecture BSF: Bootstrapping Server Function NAF: Network Application Function

Service Provider & Operator Cooperation

11

OTT B OTT A

User

Identity Server

OTT C

Identity Provider

Service Provider

Service Provider

Service Provider

• Unify IDs for OTT service providers

• SP and IdP share their IDs w/o jeopardizing security

• In a virtualized network, Identity server may be further simplified

HSS

An operator has an inherent advantage to

managing user IDs

Operator

Network

Multi-factor Authentication

12

OTT B OTT A

User

Identity Server

OTT C

Identity Provider

Service Provider

Service Provider

Service Provider

• Example: Service A becomes available only when AUTH succeeds from both the operator network and the user Token

• SSO and multi-factor AUTH for different service providers

HSS

Employ multi-factor authentication to enhance security

Operator

Network Token A

Standardization Challenges

• To advance standardization for federated ID management, with consideration of future network virtualization, one may need to check

– Existing standards and frameworks

– Standardization organization to enroll with

– Define and clarify the threat model of federated ID management in NV

– Detailed security analysis is needed

13

Conclusion and Future Work

• Problems and requirements of Federated ID management in NV

• Co-operation between operators and service providers is needed for extending the capability of ID management

• Security mechanism in NV need to be carefully re-considered, including threat model and AUTH mechanism, etc.

14

Thank You!

Yang Cui and Kostas Pentikousis cuiyang@huawei.com

k.pentikousis@huawei.com

The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.