Skip to main content
SpringerLink
Log in

Strong and privacy-friendly management of federated identities for service provision over UMTS

Une Solution Puissante et Protégeant la vie Privée Pour la Gestion des Identités Pour les Réseaux Mobiles 3G

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

Mobile subscribers who wish to mutually authenticate to service providers on the Internet utilize existing identity management mechanisms, such as Microsoft .net passport, overlooking the existing trust relationship between the subscriber and the 3G mobile operator and increasing network resources consumption, in an environment that requires security mechanisms that are as lightweight as possible. Furthermore, knowledge as well as the possession of an item, does not distinguish a person uniquely, revealing an inherent security weakness of pin authentication mechanisms. This paper proposes a protocol (3GbioId) for implementing strong identity management for Internet applications over 3G mobile networks. 3GBioId introduces biometrics, as well as the principles of the Liberty Alliance, into the 3G mobile security architecture, targeting to a more effective, secure and lightweight identity management alternative to the existing protocols. The results of a security, privacy, performance, usability and complexity evaluation indicate 3GbioId’s benefits and limits.

Résumé

Les abonnés aux réseaux de téléphonie mobile qui souhaitent s’authentifier auprès de fournisseurs de services sur Internet utilisent les systèmes existants de gestion d’identité, tels que le Microsoft .Net passport. Or, non seulement ces systèmes ne prennent pas en considération la relation de confiance existante, entre l’abonné et l’opérateur de réseau mobile 3G, mais ils augmentent aussi les besoins de ressources, dans un environnement qui nécessiterait des mécanismes de sécurisation aussi légers que possible. De plus, ni la connaissance, ni la possession d’un code personnel ne suffisent pour identifier précisément une personne, ce qui révèle la faiblesse inhérente aux systèmes de sécurité basés sur une authentifïcation par numéro d’identification personnel (Pin). Cet article propose l’implantation d’un protocole (3GbioId) de gestion robuste de l’identité pour les applications Internet sur les réseaux 3G mobiles.

3GbioId introduit de nouvelles mesures biométriques, ainsi que les principes de la « Liberty Alliance », dans l’architecture de sécurité des réseaux 3G, afin de proposer une gestion plus puissante, plus sûre et nécessitant moins de ressources que les protocoles existants. Les résultats obtenus lors des évaluations de sécurisation, de protection de la vie privée, de performance, de rentabilité et de complexité illustrent les apports et les limites du protocole 3gbwid, que nous proposons.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Bernard (R.), Managing Identity Management,Security Technology and Design,6/2005, SecuritylnfoWatch, 2005.

  2. Damiani (E.),De Capitani Di Vimercati (S.),Samarati (P.), Managing Multiple and Dependable Identities.Ieee Internet Computing,7, No. 6, 2003.

  3. Mont (M.),Pearson (S.),Bramhall (P.), Towards Accountable Management of Identity and Privacy, Proceedings of 14th international workshop on database and expert systems applications, 2003.

  4. Wisely (D.),Eardley (P.),Burness (L.),Ip for 3G — Networking Technologies for Mobile Communications,John Wiley & Sons, 2002.

  5. Mitchell (C. J.), Security for Mobility,Iee Telecommunication Series,51, 2004.

  6. Identity management for micropayments in a mobile environment.Siemens Paycircle, 2003.

  7. TS 31.101 —Uicc terminal interface; physical and logical characteristics,3rd Generation Partnership Project, 2005.

  8. Benoît (O.),Dabbous (N.),Gauteron (L.),Girard (P.),Handschuh (H.),Naccache (D.),Socile (S.),Whelan (C), Mobile Terminal Security,Cryptology ePrint Archive,158, 2004.

  9. Biometric vocabulary corpus,Iso/iec jtc1,Sc37/Sg1, 2004.

  10. Dimitriadis (C), Polemi (D.), Biometrics — Risks and Controls,Information Systems Control Journal,4, pp 41–43, 2004.

    Google Scholar 

  11. Ist-1999-20078 Business environment of biometrics involved in e-commerce —Bee: Deliverable D7.1 Conclusions and Recommendations, http://expertnet.net.gr/bee,Bee Consortium, 2002.

  12. Prabhakar (S.), Pankanti (S.), Jain, (A.K.), Biometric Recognition Security and Privacy Concerns,Ieee Security and Privacy,1, no. 2, pp. 33–42, 2003.

    Article  Google Scholar 

  13. Ist — 2002 — 001766 Biometrics and Security (Biosec), Deliverable D3.3 — Security recommendations: biometric systems integration, basic research on security, network protocols andPki.Biosec consortium, 2005.

  14. Ts 33.102 — 3G Security; Security architecture,3rd Generation Partnership Project, 2005.

  15. Article 29 —Ec data protection working party, Working document on biometrics, 2003.

  16. Gandolfi (K.), Mourtel (C), Olivier, (F.), Electromagnetic Analysis: Concrete Results.Springer-Verlag Lecture Notes in Computer Science,2162, pp. 251–261, 2001.

    Google Scholar 

  17. Matsumoto (T.), Gummy finger and paper iris — an update.Proceeding of workshop on information security research, Japan, 2004.

  18. Glossary for theOasis Security Assertion Markup Language (Saml),Oasis, 2003.

  19. LibertyId-ff Protocols and Schema Specification,Liberty Alliance, 2003.

  20. LibertyId-ff Architecture Overview,Liberty Alliance, 2003.

  21. Davida (G. I.),Frankel (Y.),Matt (B.), on enabling secure applications through off-line biometrie,Symposium on Security and Privacy, 1998.

  22. Juels (A.),Wattenberg, (M.), A Fuzzy Commitment Scheme, In Proc.Acm Conf. Computer and Communications Security, pp. 28–36, 1999.

  23. Juels (A.),Sudan (M), A fuzzy vault scheme,In Conference on Computer and Communications Security, 2002.

  24. Linnartz (J.P.),Tuyls (P.), New Shielding Functions to Enhance Privacy and Prevent Misuse of Biometric Templates, InAvbpa, pp. 393–402, 2003.

  25. Verbitskjy (E.),Tuyls (P.),Denteneer (D.),Linnartz (J. P.), Reliable Biometric Authentication with Privacy Protection,In Proc. 24th Benelux Symposium on Information theory, 2003.

  26. Csirmaz (L.),Katona (G. O. H.), Geometrical Cryptography,In Proc. International Workshop on Coding and Cryptography, 2003.

  27. Frykholm (N.),Juels (A.), Error-Tolerant Password Recovery, In Proc.Acm Conf. Computer and Communications Security, pp. 1–8, 2001.

  28. Dodis (Y.), Reyzin (L.), Smith (A.), Fuzzy Extractors: How to generate strong keys from biometrics and other noisy data,Advances in Cryptology — Eurocrypt 2004, Lecture Notes in Computer Science,3027, pp. 523–540, 2004.

    Article  MathSciNet  Google Scholar 

  29. Shaltiel (R.), Recent developments in Explicit Constructions of Extractors. Bulletin of theEatcs,77, pp. 67–95, 2002

    MathSciNet  MATH  Google Scholar 

  30. Ellison (C), Hall (C), Milbert (R.), Schneier (B.), Protecting Keys with Personal Entropy.Future Generation Computer Systems,16, pp. 311–318, 2000.

    Article  Google Scholar 

  31. Monrose (F.),Reiter (M. K.),Wetsel (S.), Password hardening based on keystroke dynamics.In Conference on Computer and Communications Security, 1999.

  32. TS 22.022 — Personalisation of Mobile Equipment (Me); Mobile functionality specification,3rd Generation Partnership Project, 2005.

  33. Assertions and Protocol for theOasis Security Assertion Markup Language (Saml),Oasis, 2003.

  34. Neimi (V),Nybero (K.),Umts Security,John Wiley & Sons, 2003.

  35. Pfitzmann (B.), Waidner (M.), Analysis of Liberty Single-Signon with Enabled Clients,Ieee Internet Computing,7(6), pp. 38–44, 2003.

    Article  Google Scholar 

  36. Gross (T.), Security Analysis of theSaml Single Sign-on Browser/Artifact Profile. 19th Annual Computer Security Applications Conference, 2003.

  37. Eastlake (D.),Crocker (S.),Schiller (J.), Randomness Recommendations for Security,Ietf rfc, 1994.

  38. Dimitriadis (C), Polemi (D.), Application of multi-criteria analysis for the creation of a risk assessment knowledgebase for biometric systems.Lecture Notes in Computer Science,3072,Springer-Verlag,, Hong Kong, China (2004) pp. 724–730

    Article  Google Scholar 

  39. Biometrie Evaluation Methodology, Common Criteria Biometrie Evaluation Methodology Working Group, 2002.

  40. Iso/iec 15408 Information technology — Security techniques — Evaluation criteria forIt security, 1999.

  41. Cc-Protection Profile: us Government biometrie verification mode protection — profile for medium robustness environment, 2003.

  42. Cc-Protection Profile: UK Biometrie Device — Draft, 2002.

  43. LibertyId-ff Implementation Guidelines,Liberty Alliance, 2004.

  44. LibertyId-ff Bindings and Profiles Specification,Liberty Alliance, 2003.

  45. Microsoft Corp.:Microsoft .Net passport review guide, http://www.passport.net, 2004.

  46. Kormann (D.), Rubin (A.), Risks of the Passport Single Signon Protocol.Computer Networks, Elsevier Science Press,33, pp51–58, 2000.

    Article  Google Scholar 

  47. Wayman (J.),Mansfield (A), Best practices of testing and reporting performance of biometrie devices,Cesg, http://www.cesg.gov.uk/site/ast/biometrics/media/BestPractice.pdf, 2002.

  48. Ist-1999-20078 Business environment of biometrics involved in e-commerce —Bee: Deliverable D6.2 Marketing & Business strategies, http://expertnet.net.gr/bee,Bee Consortium, 2002.

Download references

Author information

Authors and Affiliations

  1. University of Piraeus, 80 A. Dimitriou, 18534, Piraeus, Greece

    Christas K. Dimitriadis & Despina Polemi

Authors
  1. Christas K. Dimitriadis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Despina Polemi
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Dimitriadis, C.K., Polemi, D. Strong and privacy-friendly management of federated identities for service provision over UMTS. Ann. Télécommun. 61, 418–442 (2006). https://doi.org/10.1007/BF03219915

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03219915

Key words

Mots clés

Search

Navigation