Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.1: Overview on IMS
 |
Title: Overview on IMS IMANAGER – IDENTITY MANAGER FOR PARTIAL IDENTITIES |
 |
iManager – Identity Manager for Partial Identities
iManager is an identity manager for a mobile user in order to support him to communicate securely, to manage his partial identities, and consequently to protect his privacy. This identity manager is a client side identity manager, which means that it is part of the user’s mobile device, and can be classified as a type 3 IMS.
This work describes the term partial identity and the architecture of the iManager. A more detailed description and the use of iManager is described in [Ger03a] by an exemplary scenario: buying and controlling an electronic railway ticket.
Identity Management with Partial Identities
Every person has his own identity. This identity consists of person’s roles, e.g. while using government services a person is well known whereas while he is shopping, he is almost anonymous. These changes of identity depending on the situation are represented by partial identities. A partial identity is a set of personal attributes of a user. A user can have several partial identities. Close to the physical world, a user changes his partial identity in computer networks while thereby varying between being anonymous and being fully identifiable. Such a change depends on the situation and role necessary for this situation. By this means, a user protects his privacy and at the same time is able to build up a reputation towards his communication partner with respect to his current role. The partial identity has been introduced by Roger Clarke in 1993, however not for privacy-enabling identity management, but for surveillance [Cla93]. The relationship between partial identities and authorisations by attribute certificates / credentials is described in [Cla01].
An example for using partial identities shows the following figure. The identity of the exemplary user called Willi Weber has four partial identities: anonymous, leisure, shopping, and public authority. By using a partial identity, he publishes some personal attributes, e.g. when using the partial identity public authority he publishes his name, birthday, place of birth, and his address. Whereas while using his partial identity anonymous he doe not publish any personal attribute at all. As a result, he is identifiable and he is able to establish a reputation with respect to the identity used while controlling the disclosure of his personal attributes and consequently protecting his privacy.
Figure : Identity and partial identities of an exemplary user
Data Structure of a Partial Identity
A partial identity is a record of personal attributes. Each record consists of a personal attribute and the corresponding personal data. A record is identified by a unique identifier.
Unique identitifier (pseudonym): A user is able to authenticate himself towards his communication partners with personal data, e.g. his name or with a cryptographic public key. Depending on the desired choice between being anonymous and fully identifiable, a user is able to use various kinds of pseudonyms [Pfi00]. Transaction pseudonyms, e.g. unambiguous transaction numbers, make possible the linkability of single steps within a transaction and to the user without revealing his identity. Whereas personal pseudonyms, e.g. telephone number, enables the personal identification of a user.
Identifier: Each item of personal data is referenced by an identifier, e.g. “personname.given” (cf. [Cra02]).
Key identifiers refer to an attribute which is unambiguous as for example a private cryptographic key.
Template: A template of a partial identity is a set of identifiers which defines a partial identity but does not consist of any data and is used for creating a partial identity by a user.
Personal data and the settings of the user’s accountability that depends on a situation are stored by means of such a record for a partial identity. A user manages his partial identities with an identity manager. A research prototype for an identity manager of Freiburg University will be described in the following section. This identity manager called iManager enables a mobile user for managing his partial identities and thereby protecting his privacy.
Architecture of the iManager
The iManager is the central security tool of a mobile device which is considered to be trustworthy. The iManager offers interfaces to the user, to the security mechanisms, and to the applications of a mobile device. The access to personal data and to cryptographic keys is exclusively possible by using the identity manager. An application’s request to these data will be checked by the identity manager whether the user has given his consent to the publication of this personal data in the current situation. The architecture of the iManager and its interfaces is shown in the following figure. Based on a security platform, the components identity configuration, identity negotiation, and confirmation of action are responsible for managing the partial identities [Jen01].
Figure : Architecture of the iManager
The user interface has to be comprehensible for security laymen, since they are not able to verify and assess the security mechanisms of the iManager and therefore a misuse of them leads to a compromise of the security and privacy of the user. The possibility of a misuse has to be reduced (cf. [Ger03b]). The acceptance of the security tool also depends on its user interface. In order to facilitate the use of a security tool, the protection goals of multilateral security [Ran97] have been classified in user and system controlled protection goals by analyzing their interdependency [Jen00]. This leads to a reduction of the user interface complexity. The user controlled protection goals anonymity and accountability are configured by partial identities and their choice in a situation. The integration of the iManager in the user interface of the mobile device is shown in the following figure. At any time, the user is able to check his identity.
Figure : Integration of the iManager in the user interface of the mobile device
The identity configuration enables a user to choose and create a partial identity with respect to a current situation. A situation is defined by a communication partner, the current service and the current partial identity [Jen02]. Since the anonymity level cannot increase subsequently (monotony of anonymity [Wol00]) any partial identity can not be changeable. If the user wants to change the current partial identity, the iManager checks if the desired anonymity level could be reached with the intended change. Further implemented functionalities are: to edit partial identities, to store them in a secure database on the mobile device, and to recognise the current situation. The secure database stores partial identities and user’s security, his privacy policies and rules for the security tools. A filter checks the data flow of the mobile device for personal data. By this means, it is possible to fill a web form according to P3P with respect to a suitable partial identity and user’s permission.
An identity negotiation is necessary, if a service needs more data from the user than he wants to publish in this situation. This conflict can be solved with a negotiation between this service and the user. A restricted automatically negotiation is possible by the implementation of P3P and consequently the comparison from the service’s and user’s security and privacy policy. In case of a conflict, iManager informs the user of this conflict and proposes solutions like a suitable partial identity for solving it. For example, in the scenario a user wants to buy an electronic railway tickets and wants to get some premium points. For the premium points, the virtual ticket automat requests some personal data of the user. A conflict occurs since the user acts with his partial identity anonymous. The iManager proposes to use the partial identity traveller for solving this conflict. The following figure shows this case.
Figure : Identity negotiation
The user decides his accountability and the accountability of his communication partner for each partial identity. The component confirmation of action implements the accountability of the user by a digital signature tool. It is used whenever a digital signature is required, e.g. for self-signing personal data. Since the user declares explicitly his intent, he signs with his handwritten signature and authorises the digital signature tool to sign the corresponding credential. The digital signature key is selected by choosing the suitable partial identity. By this means, the technical functions of the key management will be shown in a more comprehensible manner [Ger01].
The security platform consists of interfaces to cryptographic primitives, anonymity services, to a session management, a secure database, and to security services. Anonymity services are the foundation of identity management, since it enables to user to be anonymous towards his communication partners. The anonymity service JAP [Ber00] is used for IP networks. For spontaneous networking, a library of Rostock University, Germany, [Sed01] is used. The cryptographic primitives for encryption and digital signatures are implemented by the library FlexiPKI [Buc99].
Summary
The iManager of Freiburg University, Germany, shows that it is feasible to realise privacy and security interests of a mobile user depending on the situation by managing and appearing with different partial identities. It is further developed in order to support privacy in business processes in which services are acting on behalf of the user and need access to user’s profile which is stored by another service.
| |
   |
|
| 16 / 31 |
