Bridging CardSpace and Liberty Alliance with SIM authentication by lca18343


									           Bridging CardSpace and Liberty Alliance with SIM authentication

                                   Ivar Jørstada, Do Van Thuanb, Tore Jønvikc & Do Van Thanha

                         – Ubisafe - Gamleveien 252, 2624 Lillehammer – Norway
                         – Linus – Martin Lingesvei 17, NO-1367 Snarøya – Norway
                             - Cort Adelers gt. 30, Oslo – Norway
            - Telenor R&D – NTNU - Snaroyveien 30 – 1331 Fornebu - Norway

Topics addressed: 4. Service Enablers

Abstract                                                           can be used for Internet services. Indeed, this is a step
There are today two major Identity Management solutions,           further than earlier work that uses SIM authentication
namely the Liberty Alliance and CardSpace from Microsoft.          for WLAN (Wi-Fi – EAP-SIM) [3]. The idea of making
Unfortunately, these solutions are not interoperable.This paper    the mobile phone and its SIM a universal authentication
proposes an Identity Management solution that integrates both      token is compelling, since the mobile phone is so
the Microsoft CardSpace and the Liberty Alliance Identity          common nowadays, and the GSM network is currently
Management. The idea is to integrate the current SIM
                                                                   the largest mobile network and is ubiquitous in much of
authentication used in GSM with both Liberty Alliance and
CardSpace such that it can be used for Internet services.
                                                                   the world.
Indeed, this is a step further than earlier work that uses SIM     The paper starts by summarising the state-of-the-art
authentication for WLAN (Wi-Fi – EAP-SIM). To use the              solutions for strong authentication and their limitations.
mobile phone as the unified authentication token is a              Next, a short introduction of Liberty Alliance and
compelling idea due to its popularity and high penetration.        CardSpace is given. An overview of our SIM Strong
                                                                   Authentication Service followed by a scenario showing
Keywords: Identity management, Strong authentication,
                                                                   how our SIM Strong Authentication Service works will
SIM authentication
                                                                   be depicted. The value brought to users and service
1    Introduction                                                  providers will be identified. The business opportunities
The number of electronic identities, i.e. user names and           for the mobile operators are also analysed.
passwords that each person has, is increasing everyday
and the situation will soon be unmanageable for a                  2     Limitations of State-of-the-Art
regular non-technical user. In many cases, passwords are                 Authentication Solutions
not strong enough to resist attacks like phishing.
pharming, etc. and it is necessary with stronger                   2.1     Passwords
authentication schemes that are more complicated for               As mentioned earlier, the most common authentication
the users and more expensive for the service providers.            scheme today is based on passwords. It is both weak and
The lack of a satisfactory Identity Management system              not user-friendly due to its plurality. There are many
is the main barrier in the development of e-commerce,              issues with user password management, but from a
m-commerce and e-government applications. The need                 security point of view, there are three main issues:
for an open interoperable Identity Management solution             •     User-friendliness: It is always possible to propose
is getting more and more urgent. Unfortunately, there                    systems with high security, but if they are not
are currently several competing and incompatible                         sufficiently simple and friendly, the user will find a
solutions. First, the Liberty Alliance [1] came up with a                way to bypass them.
federated network identity solution that offers single             •     Phishing (stealing a user’s password by tricking
sign-on enabling the user to visit several web sites                     them into giving their credential away to the wrong
without having to log in again. The other major solution                 party): Keep asking gently for a password from a
is CardSpace [2] from Microsoft which provides a user-                   user, and at some point he will give it away. The
friendly to manage multiple identities. Unfortunately,                   most well-known methods for phishing user
these solutions are not interoperable.                                   passwords are either to reproduce an almost
This paper proposes an Identity Management solution                      identical login page to the one the user is used to, or
that integrates both the Microsoft CardSpace and the                     to pretend to be from customer service and
Liberty Alliance Identity Management. The idea is to                     requesting a password for some special operation.
integrate the current SIM authentication used in GSM                     The main rule of phishing is “if you can lock a user
with both Liberty Alliance and CardSpace such that it                    for a reason” then he will be ready to give you all
      the passwords he knows to unlock the situation                provider needs to be customized to support the
      “current one, old one, one from another site...”              specific API and handshake protocols specific to
•     Brain limit: Typical users will only remember from            the chosen device.
      three to five logins/passwords. They will either        •     Because of the cost of deployment, this solution has
      reuse the same credential all over, creating a                been mostly limited to protect access gates to a
      potential risk of correlation in between service              secure zone (typically a VPN for an enterprise).
      providers, or will stick the most secure one on a
      “post-it” somewhere on a very well hidden place         2.3       Dynamic Passwords
      such as “under his keyboard.”                           One alternative addressing some of the mentioned issues
To tackle the latter problem and other identity related       is to provide users with dynamic passwords they can use
issues, the Liberty Alliance [1] has promoted the             to log in. The users do not have to remember them, and
concept of federated network identity that enables users      there is no risk of compromised passwords since they
to seamlessly jump from one service provider to another       are used only once. All users need is a mobile phone that
using Single Sign-On, while warranting user privacy,          is capable of receiving the password as an SMS message
and adequate level of authentication for the requested        from the service provider. This solution is, however, not
service and provider independence. However, while             very user-friendly since the users have to type in the
Liberty specifies how a service provider requests a given     password. In addition, a system for generating dynamic
level of authentication, it does not normalize how the        passwords is also needed and may be costly.
CoT authentication authority (i.e. Identity Provider)         Because of the lack of user friendliness, this solution can
negotiates credentials with, or on behalf of, the             not be used for day to day operation, and is mostly
principal. The problem of weak authentication then            limited to exceptional operations such as connecting to
remains unsolved, leaving room for user password Web          the Internet from a hotspot at an airport, hotel, gas
phishing and Post-It leaking.                                 station, etc.

2.2     Stronger Authentication Schemes                       3      Introduction to Liberty Alliance
There exist today several strong authentication               The Liberty Alliance [1] uses the concept of network
alternatives that require the user to present at least two    identity which refers to the global set of attributes that
factors, i.e. something that you know (PIN, code or                                              s
                                                              are contained in an individual' various accounts with
password), combined with something that you have (a           different service providers. Currently the user’s network
smart card or an authentication token), or sometimes          identities are like isolated islands and the user is
something that characterizes you (biometrics). The            responsible for remembering numerous usernames and
smart card or authentication token may carry One-Time-        passwords for each of these identity islands. The user
Password (OTP) or Public Key Infrastructure (PKI).            will typically either try to always use the same password
These solutions bring sufficient protection both to users     or to record the password somewhere. Either way, the
and service providers but, unfortunately, they all suffer     result is a drop in the level of security.
from significant drawbacks:
•     Costly      infrastructure:    Strong-authentication
      solutions require specialized security hardware
      (such as tokens and smart cards), dedicated                                            Service Provider
                                                                                            - Geolocation
      software and IT server infrastructure. In addition,                                   - Payment
      there is a cost related to the administration of the              Circle of Trust
      keys and certificates.
                                                                                                              Service Provider
•     Lack of interoperability: Strong-authentication                    Principal
                                                                                                             - Web shop
                                                                                                             - Net Bank
      solutions are quite often proprietary and do not              - User
                                                                    - Employee
      operate with each other.                                      - Customer
                                                                    - Game user
•     Poor structure: They do not provide well-defined                                             Identity Provider
      interfaces that allow integration with new                                                - Authentication
                                                                                                - Federation
      applications or services.                                                                 - Service discovery
                                                                                                - Personal Profile
•     Lack of scalability: Most current solutions are
      standalone and it is very difficult to extend them to
      be a global solution that can be used by every user,
      everywhere and anytime.
•     Cost of deployment: Not only do special devices                     Figure 1 A Liberty Alliance Circle of Trust
      have to be given to each user, but each service
The most logical solution to the problem caused by the
isolated network identity is to build bridges that             CardSpace provides the user with a consistent way to
interconnect them together and allow information flows         work with multiple digital identities, regardless of the
between them. This is precisely what “Federation” is           kinds of security tokens they use. The user can create,
doing. Federation refers to the technologies that make         use, and manage these diverse digital identities in an
identity and entitlements portable across autonomous           understandable and effective way. She might also be
policy domains. Consequently, the Federated Network            able to choose from a group of identity providers as the
Identity is a portable identity.                               source of the digital identity she presents to the relying
The establishment of federated relationships between           parties.
service providers will hence allow the users to move
more seamlessly from one service provider to another           5     Bridging Liberty Alliance and
one. However, if every service provider has to make                  Cardspace
alliance to each of the other service providers it will be
time consuming and require tremendous efforts. For n           5.1    High level requirements
service providers, it requires n(n-1)/2 established            While the Liberty Alliance alleviates the burden of
relationships.                                                 managing multiple identities by linking them together as
                                                               a federated identity, CardSpace simplifies the
To circumvent this problem, the Liberty Alliance
                                                               management through a unique interface called
proposed a new role called Identity Provider. The
                                                               Information Card. The identity management concepts
Identity Provider assumes the management of the users
                                                               used in the Liberty Alliance and CardSpace are
Federated Network Identity and the user authentication.
                                                               completely different. It is hence almost impossible to
A Circle of Trust is group of service providers and            make them operate together.
identity providers that have business relationships based
                                                               Recognising this fact, the requirements imposed on the
on Liberty architecture and operational agreements and
                                                               bridging solution are as follows:
with whom users can transact business in a secure and
apparently seamless environment.                               It must be possible for a user to be enrolled in both
                                                               Liberty Alliance and CardSpace identity management
Figure 1 shows a Circle of Trust. The Principal is the
user, employer, customer, game user, etc. whose
Federated Network Identity is managed by the Identity          It must be possible for the user to use the same
Provider. Once federation is done, the user can enjoy          authentication scheme, namely SIM authentication in
Single Sign-On.                                                both identity management solutions to reduce the
                                                               complexity for the users.
4    Introduction to CardSpace                                 The bridging solution called Unified Strong SIM
CardSpace [2] is Microsoft’s latest proposal for secure        authentication allows the use to use the mobile phone to
digital identities. CardSpace, originally code-named           log into a Liberty Alliance Circle-of Trust and a
"InfoCard", lets any Windows application, including            Microsoft CardSpace environment.
Microsoft' own applications such as the next release of
                                                               When visiting a Service Provider belonging to the
Internet Explorer and those created by others, and its
                                                               Telenor’s Circle-of-trust the user will be redirected to
users a common way to work with digital identities. Part
                                                               the Telenor’s Identity Provider for sign in. The user can
of the .NET Framework 3.0, CardSpace will be
                                                               use his mobile phone to authenticate himself. After
available for Windows Vista, Windows XP, and
                                                               successful authentication, the user is logged onto the
Windows Server 2003.
                                                               Service Provider. After a while if the user visits another
                                                               Service Provider belonging to the Telenor’s Circle of
                                                               Trust, he does not have to sign in again. Single Sign-on
                                                               is provided.
                                                               Now, if the user visits a web site which does not belong
                                                               to the Telenor Circle-of-trust but is a Relying Party, i.e.
                                                               uses the Telenor’s authentication service, he can use the
                                                               Telenor ID card in CardSpace to do the authentication.
                                                               Again, the authentication is carried out via his mobile

                                                               5.2    Overall architecture
                                                               The architecture of the Unified SIM strong
Figure 2 CardSpace and interaction among user, relying party
                                                               authentication is depicted in Figure 3. The heart of the
                   and identity provider
system is the Telenor’s Identity Provider (IDP). It is                                               5.3    Interface between LA IDP and Microsoft
communicating with all the entities and supervising all                                                     STS
the interactions:                                                                                    To allow the Microsoft STS to use the same
•    On the Internet side, it is able to communicate with                                            authentication mechanism as the LA IDP, a new
                                                                                                     component has been introduced into the Sun Access
     - All the Liberty Alliance Service Providers that has
                                                                                                     Manager at the Telenor IDP site. This component acts as
     joined the Telenor’s Circle-of-Trust and provides
                                                                                                     a proxy towards the authentication solution for the
     the SIM strong authentication service to them
                                                                                                     Microsoft STS. The Microsoft STS has been configured
     - All the CardSpace Relying Parties that uses the                                               to perform authentication requests towards this proxy,
     Telenor’s Identity Card and offers the SIM strong                                               which in turn initiates authentication with the Strong
     authentication service to them.                                                                 SIM authentication service.
•    On the mobile network side, it is able to                                                       The request performed towards the STS proxy is an
     communicate with                                                                                HTTP GET request on the following form:
     - The SMS (Short Message Service) gateway to
     perform authentication using EAP-SIM [4] protocol                                               http://<HOSTNAME>/Telenor/RequestMsisdn?msisdn=
     toward the users’ mobile phones.
     - The AAA (Radius) server [5] [6] that again is
     communicating with the Telenor’s HLR (Home                                                      Where HOSTNAME is the address of the Telenor IDP
     Location Register) via the MAP gateway to carry                                                 and MSISDN is the msisdn of the user to be
     out the user’s authentication.                                                                  authenticated.
                                                                                                     This request will trigger the proxy to initiate
          Circle of
                                    Service Provider
                                    Sun Access Manager
                                                                                                     authentication by contacting either the SMS GW or the
           Trust                                                                                     AAA server, according to which type of authentication
                                                                                                     is performed. The interface above corresponds to the
                                ID-FF                            AAA Server        Gateway     HLR   one used in authentication using SMS.
     Supplicant                                                    RADIUS           SS7/IP
     Applet in SIM            SMS
                              GW                Sun Access Mgr                                       The response to the above request notifies the STS if the
                     EAP in
                                                                                                     user has accepted the authentication (in the case of SMS
                                                        EAP in                IP         SS7
                     HTTP                               RADIUS                                       authentication with explicit user acceptance), or in the
                                                   Telenor IDP                                       case of authentication towards the HLR, if the EAP-SIM
                                                                                                     authentication procedure was successful.
Microsoft Infocard                              Microsoft STS
                                                                                                     5.4    Sequence diagrams

                                        Relying Party                                                Figure 4 illustrates the process of authentication through
                                                                                                     the Unified SIM authentication solution using Windows
                                                                                                     CardSpace, an STS and a relying party.
Figure 3 The Unified SIM Strong Authentication architecture                                          Upon accessing a relying party, Windows CardSpace
                                                                                                     will be triggered on the user computer. The user will
The Telenor’s IDP consists of two main elements:                                                     pick the Telenor IDP card, and the STS will be
                                                                                                     contacted to initiate the authentication. The STS is set
o    A SUN Access Manager which is a Liberty Alliance
                                                                                                     up to contact the Telenor IDP when presented with this
     compliant Identity Provider
                                                                                                     card, which again communicates towards the SMS GW
o    A Microsoft STS (Security Token Service)                                                        through the STS Proxy. Upon successful authentication,
Since the Unified SIM Strong Authentication Service is                                               a success message traverses back from the STS Proxy to
an extension of the SIM Strong Authentication [7],                                                   the STS, which returns a security token to Windows
which is offered in a Liberty Alliance Circle-of-Trust                                               CardSpace. This token is then presented to the relying
with the SUN Access Manager as the main element, an                                                  party, which verifies the validity and provides the user
interface has been introduced to bridge with the                                                     with access to the requested service.
Microsoft’s STS. In addition to management and
information exchanges methods, this interface offers an
Authentication request method that allows the STS to
initiate the entire authentication based on the SIM card.
                                                               Cost savings: By replacing their current password-based
                                                               authentication schemes, service providers can save
                                                               money on operation and maintenance costs due to the
                                                               simplicity of the application
                                                               Lower threshold for deployment: Service providers and
                                                               Relying Partners do not have to invest large amounts of
                                                               money to deploy the Unified SIM Strong Authentication
                                                               Service because the mobile operator manages most of
                                                               the infrastructure. No great technical expertise is
Figure 4 The process of performing authentication using        required and the Unified SIM Strong Authentication
Unified SIM authentication with the STS                        Service fits very well for larger enterprises and SMEs.
                                                               Simpler customer management: Service providers and
6     Benefits of the Unified SIM Strong                       Relying Parties do not have to take care of the password
      Authentication                                           management since the mobile operators will assume this
6.1    Benefits for End Users                                  Reach more customers: The Service Providers and
The Unified SIM Strong Authentication Service will             Relying Parties may also reach new customers that are
deliver value to end users in the following ways:              subscribers at the mobile operators.
Simple and better control and management of their
identities: The user does not have to manage a multitude       6.3    Benefits for Mobile Operators
of passwords. All the end user needs is an operating           For mobile operators, the Unified SIM Strong
mobile phone with SIM card.                                    Authentication Service will bring the following benefits:
Better protection and higher level of security: The            New source of revenue: The Unified SIM Strong
Unified SIM Strong Authentication Service provides             Authentication Service constitutes an additional source
much better protection than passwords.                         of revenue for mobile operators which are not based on
Ease of use: The Unified SIM Strong Authentication             the sale of air traffic. This source of revenue has large
Service is very simple to use and does not require any         potential since it brings value to end users and service
particular technical skill. The log in is easy and quite       providers.
intuitive.                                                     Reuse of existing infrastructure: Because the Unified
Single Sign-On: After a successful authentication, the         SIM authentication solution uses the same SIM and
user does not have to log in again when visiting other         HLR infrastructure used for normal GSM and GPRS
service providers using the Unified SIM Strong                 services, it allows the reuse of the GSM expertise of the
Authentication Service. The availability of Single Sign-       mobile operator.
On access is time limited for security purposes.               Improved customer loyalty: The Unified SIM Strong
Universal applicability: The Unified SIM Strong                Authentication Service will be a valuable service to end
Authentication Service can be used for any service or          users and will hence contribute to improving customer
application.                                                   loyalty and reducing churn.
Global availability: The Unified SIM Strong                    New business customers: As a compelling service, the
Authentication Service can be used anywhere and even           Unified SIM Strong Authentication Service will attract
when there is no GSM coverage. Indeed, even with a             new customers for the mobile operator.
non-operational phone due to lack of coverage, the             Strengthened position: By extending the role and the
Unified SIM-based authentication can still be performed        value of the mobile phone and SIM to the computing
via Bluetooth.                                                 world, the Unified SIM Strong Authentication Service
                                                               will contribute to considerably strengthening the mobile
6.2    Benefits for Service             Providers      and     operator’s position in the new converged ICT world.
       Relying Party                                           Easy adaptability for the future: Because the Unified
The Unified SIM Strong Authentication Service will             SIM strong authentication is based on easily changeable
bring the following benefits to service providers:             software elements (Active-X supplicant, IDP Java
Better protection and higher level of security: The            Authenticator, VitalAAA server and Signalware
Unified SIM strong and mutual authentication service           gateway) it can be easily modified and upgraded to
provides higher protection of valuable assets and              support emerging and future technologies. For example:
contributes to extending the availability of their services.   UMTS USIMs, Smart Card based Certificates, Smart
                                                               Card-based One-Time-Password (OTP) schemes, etc.
                                                               Because of the flexibility of the platform described in
this paper, it is quite possible to support multiple
authentication schemes over a single authentication

7    Conclusion
Today, service providers have to choose between so
many authentication and identity management schemes,
and users are left struggling with a variety of digital
identities. There are too many duplications and
divergences in the digital identity world, and it must
end. With the Unified SIM Strong Authentication
Service, the mobile phone is indeed the point of
convergence of CardSpace and Liberty Alliance identity
frameworks. The user is offered the freedom and
simplicity of participating and visiting all the web sites
no matter whether they are a Liberty Alliance Service
Provider or a Microsoft’s Relying Party. In addition,
high level of security and convenience is ensured via the
usage of the mobile phone as a security token.
A proof-of-concept implementation of the Unified
Strong Authentication has been completed by Telenor,
Gemalto, Linus, Ubisafe and Oslo University College in
collaboration with Sun, Lucent Technologies and

8    References

[1] Liberty Alliance - The Liberty Alliance Project -
[2]           Microsoft’s       CardSpace           -
[3] WLAN-SIM - WLAN Smart Card Consortium
[4] EAP SIM - draft-haverinen-pppext-eap-sim-16.txt-
[5] Radius - rfc2865.txt (Remote Authentication Dial In
User Service), IETF
[6] Radius Extension - rfc2869.txt (Radius Extensions –
including EAP), IETF
[7] Offering SIM strong authentication to Internet
Services –

To top