Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digital Identity & Security

Paper presented at the BILETA 2008 conference with Laura Reid.

  • Be the first to comment

Digital Identity & Security

  1. 1. Digital Identity & Security Serendipity Interactive Ltd & Glasgow Caledonian University Michael Bromby & Laura Reid
  2. 2. What is the problem? <ul><li>Do you know who you’re communicating with? </li></ul><ul><li>Local communication vs. </li></ul><ul><li>Global Communication </li></ul>vs.
  3. 3. Solution – A Signature <ul><li>A signature implies </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Authorisation </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Non-repudiation </li></ul></ul><ul><li>Digital proof of identity </li></ul><ul><li>Use electronic signature </li></ul>
  4. 4. Electronic Signatures Regulations 2002 <ul><li>Defines Advanced Electronic Signature as: </li></ul><ul><ul><li>uniquely linked to the signatory </li></ul></ul><ul><ul><li>capable of identifying the signatory </li></ul></ul><ul><ul><li>created using means that the signatory can maintain under his sole control </li></ul></ul><ul><ul><li>linked to the data to which it relates in such a manner that any subsequent change of the data is detectable </li></ul></ul><ul><li>Also: Electronic Communications Act 2000 </li></ul><ul><ul><li>Allows use of electronic signature </li></ul></ul>
  5. 5. Implementation <ul><li>linked to data & uniquely linked to signatory </li></ul><ul><ul><li>PKI </li></ul></ul><ul><li>created using means that the signatory can maintain under his sole control </li></ul><ul><ul><li>Biometrically secure </li></ul></ul><ul><li>capable of identifying the signatory </li></ul><ul><ul><li>Good Issuance Process </li></ul></ul>
  6. 6. PKI – Public Key Infrastructure <ul><li>Digital Signature </li></ul><ul><li>Uses Public Key Infrastructure </li></ul><ul><ul><li>Consists of linked Public and Private ‘keys’, or codes </li></ul></ul><ul><li>Private Key </li></ul><ul><ul><li>Used to sign a document </li></ul></ul><ul><ul><li>Must be kept secure, to ensure authentication </li></ul></ul><ul><li>Public Key </li></ul><ul><ul><li>Used to verify signature </li></ul></ul><ul><ul><li>Is available to anyone </li></ul></ul>
  7. 7. Public Keys - Alice & Bob
  8. 8. PKI - linked to data & signatory <ul><li>Each key pair is unique </li></ul><ul><li>Key can encrypt the whole document </li></ul><ul><li>Integrity is ensured via a hash function </li></ul><ul><li>Authenticates – if private key is secure </li></ul><ul><li>Public key verifies authenticity and integrity </li></ul>
  9. 9. Identity Security - Biometrics <ul><li>Security uses </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Something you are </li></ul></ul><ul><li>Biometrics can’t be lost or forgotten </li></ul><ul><li>Only you can use it </li></ul><ul><li> Non Repudiation </li></ul>********
  10. 10. Implementation <ul><li>Why a USB token? </li></ul><ul><ul><li>Portable </li></ul></ul><ul><ul><li>Standard interface </li></ul></ul><ul><ul><li>Ability for data storage and </li></ul></ul><ul><ul><li>Secure – signature only on token </li></ul></ul><ul><ul><li>Separate from data/comm. being secured </li></ul></ul><ul><ul><li>Fingerprint on matched on token </li></ul></ul>
  11. 11. Non-Repudiation <ul><li>Token Functionality </li></ul><ul><ul><li>Authenticate user as token owner </li></ul></ul><ul><ul><li>Allow user to sign documents </li></ul></ul><ul><li>Token Requirements </li></ul><ul><ul><li>Electronic trail </li></ul></ul><ul><ul><li>Guarantee of identity </li></ul></ul>
  12. 12. Good Issuance – Identify Signatory <ul><li>Requires: A trusted process for issuance </li></ul><ul><ul><li>Proof of identity </li></ul></ul><ul><ul><li>Proof of address </li></ul></ul><ul><ul><li>Recording of data presented for proof </li></ul></ul><ul><ul><li>Organisation </li></ul></ul><ul><ul><ul><li>Proof of employment </li></ul></ul></ul><ul><ul><ul><li>Authorisation from manager </li></ul></ul></ul><ul><ul><ul><li>Record of authorised activities </li></ul></ul></ul>
  13. 13. Trust Chain Serendipity Trusted Root Company Lawyers/ accountants/ notarised services Company Issuer Ordinary Public Employees Background / database / server
  14. 14. Pros and Cons <ul><li>Pros </li></ul><ul><ul><li>Meets legal signature requirements – easy global communication & commerce </li></ul></ul><ul><ul><li>No password to forget </li></ul></ul><ul><ul><li>Portable </li></ul></ul><ul><li>Cons </li></ul><ul><ul><li>Strict issuance – not everyone meets the standard </li></ul></ul><ul><ul><li>Not everyone has fingerprints </li></ul></ul><ul><ul><li>Bio-tokens are expensive </li></ul></ul>
  15. 15. Secure Digital Identity <ul><li>PKI + Biometrics + Secure Issuance </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Authorisation </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Non-repudiation </li></ul></ul><ul><li>A Secure Digital Identity </li></ul>
  16. 16. Questions or Comments Contact: [email_address]