Federated Identity Management and Network - Docbox - ETSI
Transcript of Federated Identity Management and Network - Docbox - ETSI
Federated Identity Management and Network Virtualization
Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop
10 April 2013
Sophia Antipolis, France
The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.
Talk Outline
• Federated ID Management Today
• Towards Network Virtualization
• Problems and Requirements
• Service Provider and Operator Co-operation
• Single Sign-On (SSO) in Network Virtualization
• Multi-factor Authentication
• Standardization Challenges
2
Federated ID Management Today
• Single Sign-On (SSO) – Centralized AUTH server
• Reduces costs, makes user life easier, but requires highly critical auth
– 3GPP SA3 study item –TR33.804 SSO for IMS
• OpenID: URI as the federated ID
– No central Certification Authority (CA) low trust & security levels
• Security Assertion Markup Language (SAML) – XML-based open-standard data format
• Exchange auth data between an identity provider and a service provider
• Liberty Alliance – ID mapping to different domains
– Complexity of multiple ID providers, SAML
3
Federated System Requirements
• Interoperate across organizational boundaries
• Utilize identity storage
• Manage security approaches, authentication and authorization
• Support different programming models
• Within a federated system, security and privacy is critical – Identities/credentials are stored and managed separately
– Manage own identities
– Share and accept identities and credentials from other members' sources
4
NFV: Industry Momentum
5 Source: Network Functions Virtualisation (White Paper, Oct. 2012)
Network Virtualization
6
Scalability Experimental Heterogeneity
Isolation Programmability Manageability Legacy Support
Deployment Flexibility
Convergence Stability
NFV ID Management: Problems
• Threat model in a virtualized network environment? – Need to be defined
– May borrow ideas from cloud computing
• Virtualized Network – No clear security boundary for distinct ID domains
– ID/credential secure storage
– Universally standardized authentication system in multi-domains
– Trusted partnership
– Operation isolation in virtualized environment
7
NFV ID Management: Requirements
• Authentication and Authorization – Need to support multi-domain scenarios
– Federated Authentication, Proxy and Delegation
– Protect credentials ( via centralized or distributed management)
• User Privacy – ID (and credentials) may need unlinkability in multi-domains
– Support anonymity as needed
• Secure Storage – Information leakage of permanent secrets shall be prevented
• Extensibility – Possibility of interworking with a larger range of service providers
8
Requirements (cont.)
• Isolation and Robustness – Compromise of one service shall not compromise the security of
another service
– Compromise of application server or an external server shall not compromise the security of the whole system
• Flexible Control for the Operator – Control system-level security either by operating the system
themselves or by contractual agreements with trusted partners
• In a telecommunication network, operators use HSS – Interfaces should keep the complexity of HSS low
– Interacting with HSS should not lead to HSS information leakage
9
Example: SSO in 3GPP IMS
• 3GPP SA3 Study Item SSO for IMS based on SIP or GBA
• NFV may work on new architecture
• Consider a new framework not based on IMS or GBA?
• Security of virtualized network
10
IM Subsystem
(IMS)
using IMS AKA
UE
S-CSCF
HSS
SIP
AS GBA
Subsystem
IdP/
NAF
Isc
Cx
Gm
Zh
Ub Ua
BSF
Zn
SP
Liberty
Alliance
3GPP TR 33.804 & 33.980
IMS: IP Multimedia Subsystem SIP: Session Initiation Protocol GBA: Generic Bootstrapping Architecture BSF: Bootstrapping Server Function NAF: Network Application Function
Service Provider & Operator Cooperation
11
OTT B OTT A
User
Identity Server
OTT C
Identity Provider
Service Provider
Service Provider
Service Provider
• Unify IDs for OTT service providers
• SP and IdP share their IDs w/o jeopardizing security
• In a virtualized network, Identity server may be further simplified
HSS
An operator has an inherent advantage to
managing user IDs
Operator
Network
Multi-factor Authentication
12
OTT B OTT A
User
Identity Server
OTT C
Identity Provider
Service Provider
Service Provider
Service Provider
• Example: Service A becomes available only when AUTH succeeds from both the operator network and the user Token
• SSO and multi-factor AUTH for different service providers
HSS
Employ multi-factor authentication to enhance security
Operator
Network Token A
Standardization Challenges
• To advance standardization for federated ID management, with consideration of future network virtualization, one may need to check
– Existing standards and frameworks
– Standardization organization to enroll with
– Define and clarify the threat model of federated ID management in NV
– Detailed security analysis is needed
13
Conclusion and Future Work
• Problems and requirements of Federated ID management in NV
• Co-operation between operators and service providers is needed for extending the capability of ID management
• Security mechanism in NV need to be carefully re-considered, including threat model and AUTH mechanism, etc.
14
Thank You!
Yang Cui and Kostas Pentikousis [email protected]
The opinions expressed in this presentation are those of the authors and do not necessarily represent the views of Huawei Technologies Co., Ltd.