D3.3: Study on Mobile Identity Management

Study on Mobile Identity Management LINKING A PHYSICAL PERSON WITH ITS DIGITAL IDENTITY

Linking a physical person with its digital identity

Identity management systems (IMS) manage digital identities, authorisations and rights of the identities and the delivery of services and credentials to their legitimate users. For a proper operation one needs mechanisms that guarantee that the digital identity represents the legitimate physical user (see requirement IV.b of section 2.1: Integrity of idenetity credentials). Today’s main threat to the security of IMS comes from impostors who usurp a digital identity from a legitimate user (Phishing, social engineering, man-in-the-middle and other forms of identity theft). It is uncontested that Passwords or PIN-codes alone provide an insufficient tie between a physical person and its digital identity (Girard and Hirst, 2004). Stronger authentication schemes are mandatory for all IMS that manage valuable rights, data and services. 

There are three different concepts to establish a link between a physical person and its digitally represented identity: Something that the person carries with her (token, like a smart card); something that the person knows (password, PIN-code); something that the person is (biometric feature). To authenticate a person one or more of such credentials based on these basic concepts have to be verified. Depending on the number of different types of such credentials one speaks of a one-, two- or three-factor authentication. It is important to notice that the only mean to establish a negative authentication (proof that an impostor tries to acquire a digital identity) needs a biometric factor.

Fig 2-8: Identity verification factors that can be used in an authentication process to link a physical person with a digital identity 

1. 1. 1. Authentication within a Mobile Identity Management System

In all identity management systems (IMS) the set up of a safe link between a person and its digital identity is the most crucial process for the security of the whole access and authorisation chain. IMS use one or more of the three above mentioned concepts when an access requesting person has to deliver proofs for her correct identity. There are two different approaches for an authentication in an environment with mobile users. 

1. Centralised management of the authentication process for all users. The mobile device serves to transmit identity data provided by the user that will be evaluated against centrally stored authentication information about the user. 

2. Distributed management of the authentication process for all users. The mobile personal device contains the authentication data. No exchange or storage of authentication data with a central server is necessary. The mobile device delivers only information to proof that a secure link between the physical person and its digital identity has been established successfully. 

In Mobile Identity Management Systems (MIMS) the authentication process is best implemented using the distributed concept to comply with the requirements I, II, IV, V, VI, IX and X listed in section 2.1. There are very limited possibilities to establish a secure and privacy protecting link between a person and its digital identity that includes biometrics by centralised mechanism. Such mechanisms always violate the requirements Ia, Ic, V, VI and X of section 2.1. Nevertheless many of today’s IMS, even governmentally supported IMS, still rely on such centralised authentication concepts. The US immigration IMS with biometric registration of all foreign visitors and storage of these data in a centralised repository is probably the most prominent and intriguing example. There are also some critical points in a decentralised scheme. A distributed authentication process has to rely on the tamper resistance of the device that performs the mobile authentication (aMAD) and that delivers the appropriate identity proofs. As such devices are in the possession of the potential attacker sufficiently high security standards for tamper resistance of the aMAD have to be requested, which in turn may have an impact on the price of the personal device. Although this may be a weaker point of distributed MIMS, its importance is limited. Even if a method to tamper an aMAD device is known, the malicious process can not be automated by a single attacker and the damage and therefore the interest of the attacker is always limited. 

Fig 2-9: Flow of critical personal data in a identity management system with distributed and with centralised authentication 

The centralised scheme has several drawbacks regarding security (many points of attack), privacy (central repository with critical information) and scalability (the separability of personal identity data diminishes with the rising number of users). There may be some advantages of a centralised scheme in the management of functionalities (requirements I, II), It is easier to update the evaluation of presented credentials or change credentials, when all relevant processing is centralised. The need to change evaluation protocols for credentials however is higher in a centralised scheme, as there is a greater risk of misuse at large scale. 

Schemes for distributed 3-factor authentication

Far better than any centralised solution are distributed mechanisms that provide a secure link between physical persons and a digital identity certificate enclosed inside a personal mobile token. The token contains the necessary information to establish the link between the physical person and its digital identity without interaction with a centralised data repository. SIM-cards with a PIN authentication are an example of such a mechanism with two-factor identity verification. For many applications with higher security requirements or with the need for negative authentication a two factor verification mechanism without biometrics is no more acceptable. There are several concepts that allow a distributed three-factor authentication 

1. Smart cards that store a biometric matching template, acquired in the enrolment process which may be compared with a locally measured query template  

2. Smart cards that store the biometric matching template and the matching algorithm on the card (match-on-card, MOC) 

3. Tokens that provide the full biometric authentication process including the sensors and the feature extraction to acquire a query template from the biometric measurement (autonomous mobile authentication device, aMAD) 

Only the last solution fulfils entirely the req. Ic, Vb and VI and IX. The availability of special hardware (biometric sensor equipment) at any authentication site is a serious restriction for the wide application of one of the two first mentioned solutions. Only the third scheme allows unrestricted mobility of the user, unlimited availability of the authentication procedure and full containment of all privacy critical biometric data inside the personal token. The last scheme allows the adoption of federated identities based on partial identity information provided by the mobile authentication token. This is important to fulfil the requirement of supporting federated identities as the interoperability of identity credentials is not guaranteed without a ubiquitous trusted PKI infrastructure. An aMAD-token may store many independent digital identity certificates to authenticate the user directly to different network IMS. The different network operators have only to trust the certification authority that edits the aMAD-tokens and the initial enrolment process. In chapter 5 a realisation of an aMAD is presented (AXS-ID-card). 

Fig. 2-10: Within a distributed authentication scheme federated identities are realised in a simple way by storing multiple identity certificates in one token 

Digital identity proofs using the authentication token

There are several solutions for authentication tokens on the market: Smart Cards with electrical connection or RF-interface, OneTimePassword-Tokens, USB-Tokens, tokens in form of a cell-phone, PDA or Pager and SW-tokens to be loaded on a personal mobile computer. All the tokens contain a secret that can be verified by an external IMS operator or authentication service provider. The verification process between remote IMS and authentication token is only activated after a successful person-to-token authentication. There are three different concepts to use a secret in such tokens as identity credential:  

1. In a Challenge-Response-Protocol (CR) an external operator verifies that the token contains the secret through en encrypted transmission of a one-time password (OTP) into the token. The token decrypts the encoded message with the secret and delivers the OTP. The later presented AXS-ID-card works with a CR-protocol that allows additional services based on the same token. 

2. The token delivers an OTP generated simultaneously inside the token and on the authentication server. Both sides share a common secret and are time or event synchronised. The OTP changes on both sides simultaneously at a certain pulse rate  

3. The token generates a linear hash code combining a secret and a time stamp that can be verified on the operator side. The well-known SecureID of RSA works with this concept.  

A common feature of all authentication tokens is that the base secret is completely independent of any personal identity information of the user. The observation of the secret exchange does, in no way, reveal any information about the identity of the user to a third party (unobservability).