A Privacy Enabled Fast Dynamic Authentication and Authorization for B3G/4G Mobility ()
Mobile technologies make their headway by offering more flexibility to end-users and improve the productivities. Within the application of ubiquitous access and pervasive communication, security (or privacy) and QoS (Quality of Service) are two critical factors during global mobility, so how to get a smooth and fast handover based on a user privacy protected infrastructure is our focus. Based on a user-centric virtual identity defined by EU IST project Daidalos, this paper firstly proposes an effective infrastructure which protects the context-driven access policies for online services in order to avoid attacks by malicious eavesdroppers. In the proposed infrastructure, SMAL and Diameter are used to securely protect and deliver authenticated and authorized entities and XACML is used to authorize the user-level privacy policy. On the basis of it, a dynamic fast authentication and authorization handover mechanism is proposed which can save one trip communication time consummation between administrative domains.
1. Introduction
The Internet is today’s most used tool for work and leisure. In recent years, the need for a digital identity has risen as a strong driving force behind network architecture design, service provisioning and content handling, billing and charging. Digital Identity is expected to be a powerful tool for users to access unlimited digital resources via a limited number of trusted relationships and for providers to offer these resources across different layers of communication systems, administrative domains and even legal boundaries. However, the lack of a common view on Digital Identity across these different layers has so far resulted in independently developed and thus often inconsistent identity management frameworks as well as incompatible applications. Therefore, identity is no longer a matter of who you are but also of the use you are making of a service or even a network connection. As a result, the ill-prepared architectures of today need to support users at the service level and usually tend to create situations where the privacy of the user is in danger.
However, for pervasive computing, privacy is a server problem. Servers may very well convey sensitive personal data, such as patient health care, employee records, credit card details, etc. It is critical that users have control over their identity and profile information; from what it is to how it is being protected and to who has access. E.g., e-Government heavily relies on the reuse and exchange of personal data and protecting the privacy of health information is an important issue that has gained tremendous significance with the advance of electronic health-care records. Identity management (IDM) is thereby a crucial component, e.g., to make sure that only authorized users have access to protected data resources.
Protecting the privacy of users in user-centric identity management systems is a challenging problem for service access, which can only be achieved if it gives users complete control over their identity data. However, none of the existing solutions offers this possibility. Key challenges towards the development of a more consistent approach are to tackle the conflicting requirements of privacy, identification and security for the open and distributed pervasive services [1,2].
Authentication and Authorization define the process of verifying an object’s permission to perform a particular action or not. Two different classes of mechanisms exist for this: 1) Authentication-based schemes require, as a precondition, an authentication of the object, which is utilized by checking access control lists, whether this identified object is allowed to perform the requested action. 2) Credential-based schemes apply credentials, which provide trustworthy information being held by the algorithm performing the authorization process. Authorization depends on service specific attributes e.g., service class for QoS and user-specific attributes e.g., name, age, etc [3].
Handover occurs when a mobile terminal (MT) is roaming from one domain to another domain. During the procedure of the handover, there exists a time that MT loses its connection with both the previous access router (PAR) and new access router (NAR) and data which is sent to it at this time will be lost. So it firstly needs handover fast enough to reduce the lost of the data. Secondly, handover should be secure without disclosing privacy and breaking integrity of user’s data. Besides, QoS will be another factor that affects handover, as shown in Figure 1.
Based on the above mentioned scenarios and the XACML standard, this paper proposes a service authorization mechanism based on user-level privacy policies, which, at the enforcement level, defines exactly what resources are ‘personal data’ and exactly who is an ‘authorized person’. The user-level privacy-policy management is implemented by using a user-centric IDM, based on a key concept defined in the European IST (Information Society Technology) project Daidalos [4], in terms of a virtual identity (VID) that operates across all network layers and/or federated intra or inter-domains. Besides, in order to get a fast and smooth handover, a fast and securely scenario of authentication and authorization for mobile terminal mobility among different domains is also proposed.
The rest of this paper is structured as follows. Section 2 firstly introduces two key components of a user-centric identity management system proposed in Daidalos, and then describes the proposed infrastructure in detail. A dynamic authentication and authorization handover mechanism will be proposed in Section 3. Section 4 summarizes the paper.
Figure 1. Handover requirement in pervasive environment.
2. Privacy-Enabled Authentication andAuthorization Mechanism
2.1. Two Key Terms—VID and EPP
Before description the proposed infrastructure, two concepts firstly introduced, namely VID and EPP.
•VID
A concept of virtual identities and extensive investigation into their management and efficiency is made central to our approach. By efficiency of virtual identities, it is meant that a virtual identity does not disclose too much or too little information for the purposes required (e.g. service usage), that the virtual identity makes it difficult for the general public to link it to other virtual identities of the same person and that it preserves an optimum balance between its (contradictive) primary functions: pseudonymity and protecting true identity, whilst still enabling service provisioning, non-repudiation, and authentication on a reasonable scale. Virtual identities are complemented with a management cycle to support their efficiency, which should support privacy policy negotiation, access control, reputation and trust and context obfuscation.
A VID is a collection of references (e.g. URIs) to actual Entity Part Profiles (EPPs-see next subsection) stored at different places. A VID may include a variable number of references and, as such, it fulfils the Entity Profile View (EPV) function. Whilst defining a VID, the Identity Manager also declares access control policies and thus consequently defines a filtered EPV (FEPV) according to the user’s request for the service, which will use the VID. A VID is equipped with a pseudonymous identifier for which it is not possible to resolve the true identity of the VID holder. The pseudonymous identifier is not a human-like name (although such a pseudonym could be included in the VID as an EPP) but is a machine identifier (a number) used as a primary key for records on the VID data in A4C (Authentication, Authorization, Accounting, Auditing and Charging) administrative domain. The pseudonym is commonly referred to as the VID Identifier (or VIDID). A VID serves several functions: authentication, authorization, accounting (e.g. nonrepudiation), pseudonymization, and data minimization (according to the data minimization principle or proportionality principle). This way, all the entities in the construction of an administrative domain serves the same VID of one legal entity, which is liable for this administrative domain. Further details are described in the literature [1,2,5].
•EPP
We are inclined to think of private identification data as being highly distributed; there are some practical reasons and arguments for this: the data have always been held internally by data controllers (operators, small and large providers, state departments and other authorities have always been collecting and storing data on people) as well as privately by the very data subject. Moreover, it is unclear who takes ownership of this identification data: the usual state of affairs is that the data subject is not generally the owner of the data as the data subject (a legal or natural person) can never for example sell a particular piece of personal data held by a data controller; even more so, the regulations about this are not very distinct. According to this, we first model a notion of smallest (semantically) consistent part of personal data for a (legal) entity called the Entity Profile Part (EPP). A particular EPP is a subset of all the personal data specifying a certain fact about the (legal) entity such that this fact is still entirely (semantically) captured or described inside this subset but it is the smallest such subset for this fact. E.g., a first name and a surname of a person are together the smallest consistent part of data capturing the full name of the person If we take only the first name or the surname, it is no longer clear which person this is. Thus, the first name plus surname is an example of an EPP. An abstract union of all the EPPs is called an Entity Profile (EP). An EPV should be defined and controlled by the data subject and in this way the principle of user consent is enforced. Then, for any EPV, the actual access to the data is potentially subject to access control mechanisms for access to EPPs so that the actual perception an observer gets on the EPV is filtered by the access control on EPPs and this is then called a Filtered EPV (FEPV). A notification principle and a principle of right to object processing of personal data are followed by the data subject having the power to define the access control on EPPs-to define FEPVs.
2.2. Architecture Components
Figure 2 illustrates the components of the proposed authentication and authorization system, in which the Key Deployment Centre (KDC) is responsible for issuing keys and the PANA Client (PaC), is used to bootstrap the VID and EPPs which will be explained in the following. The Policy Manager manages various context-driven policies including adding, modifying and deleting a policy to a specific EPP. The Context Manager controls various contexts of an EPP with a specific VID including adding, timely updating and deleting. The EPP Manager manages all EPPs including querying, adding, deleting and modifying data in a specific VID. The ID Manager manages VIDs including creating, deleting and retrieving from the VID wallet [5]. All of these functionalities interact with the ID Broker. The ID Broker is a key component in the proposed scheme. In fact, the ID Broker controls the user’s VID and services including the privacy policy. Next, we will explain the concepts about the VID and EPP.