Abstract
Mobile subscribers who wish to mutually authenticate to service providers on the Internet utilize existing identity management mechanisms, such as Microsoft .net passport, overlooking the existing trust relationship between the subscriber and the 3G mobile operator and increasing network resources consumption, in an environment that requires security mechanisms that are as lightweight as possible. Furthermore, knowledge as well as the possession of an item, does not distinguish a person uniquely, revealing an inherent security weakness of pin authentication mechanisms. This paper proposes a protocol (3GbioId) for implementing strong identity management for Internet applications over 3G mobile networks. 3GBioId introduces biometrics, as well as the principles of the Liberty Alliance, into the 3G mobile security architecture, targeting to a more effective, secure and lightweight identity management alternative to the existing protocols. The results of a security, privacy, performance, usability and complexity evaluation indicate 3GbioId’s benefits and limits.
Résumé
Les abonnés aux réseaux de téléphonie mobile qui souhaitent s’authentifier auprès de fournisseurs de services sur Internet utilisent les systèmes existants de gestion d’identité, tels que le Microsoft .Net passport. Or, non seulement ces systèmes ne prennent pas en considération la relation de confiance existante, entre l’abonné et l’opérateur de réseau mobile 3G, mais ils augmentent aussi les besoins de ressources, dans un environnement qui nécessiterait des mécanismes de sécurisation aussi légers que possible. De plus, ni la connaissance, ni la possession d’un code personnel ne suffisent pour identifier précisément une personne, ce qui révèle la faiblesse inhérente aux systèmes de sécurité basés sur une authentifïcation par numéro d’identification personnel (Pin). Cet article propose l’implantation d’un protocole (3GbioId) de gestion robuste de l’identité pour les applications Internet sur les réseaux 3G mobiles.
3GbioId introduit de nouvelles mesures biométriques, ainsi que les principes de la « Liberty Alliance », dans l’architecture de sécurité des réseaux 3G, afin de proposer une gestion plus puissante, plus sûre et nécessitant moins de ressources que les protocoles existants. Les résultats obtenus lors des évaluations de sécurisation, de protection de la vie privée, de performance, de rentabilité et de complexité illustrent les apports et les limites du protocole 3gbwid, que nous proposons.
Similar content being viewed by others
References
Bernard (R.), Managing Identity Management,Security Technology and Design,6/2005, SecuritylnfoWatch, 2005.
Damiani (E.),De Capitani Di Vimercati (S.),Samarati (P.), Managing Multiple and Dependable Identities.Ieee Internet Computing,7, No. 6, 2003.
Mont (M.),Pearson (S.),Bramhall (P.), Towards Accountable Management of Identity and Privacy, Proceedings of 14th international workshop on database and expert systems applications, 2003.
Wisely (D.),Eardley (P.),Burness (L.),Ip for 3G — Networking Technologies for Mobile Communications,John Wiley & Sons, 2002.
Mitchell (C. J.), Security for Mobility,Iee Telecommunication Series,51, 2004.
Identity management for micropayments in a mobile environment.Siemens Paycircle, 2003.
TS 31.101 —Uicc terminal interface; physical and logical characteristics,3rd Generation Partnership Project, 2005.
Benoît (O.),Dabbous (N.),Gauteron (L.),Girard (P.),Handschuh (H.),Naccache (D.),Socile (S.),Whelan (C), Mobile Terminal Security,Cryptology ePrint Archive,158, 2004.
Biometric vocabulary corpus,Iso/iec jtc1,Sc37/Sg1, 2004.
Dimitriadis (C), Polemi (D.), Biometrics — Risks and Controls,Information Systems Control Journal,4, pp 41–43, 2004.
Ist-1999-20078 Business environment of biometrics involved in e-commerce —Bee: Deliverable D7.1 Conclusions and Recommendations, http://expertnet.net.gr/bee,Bee Consortium, 2002.
Prabhakar (S.), Pankanti (S.), Jain, (A.K.), Biometric Recognition Security and Privacy Concerns,Ieee Security and Privacy,1, no. 2, pp. 33–42, 2003.
Ist — 2002 — 001766 Biometrics and Security (Biosec), Deliverable D3.3 — Security recommendations: biometric systems integration, basic research on security, network protocols andPki.Biosec consortium, 2005.
Ts 33.102 — 3G Security; Security architecture,3rd Generation Partnership Project, 2005.
Article 29 —Ec data protection working party, Working document on biometrics, 2003.
Gandolfi (K.), Mourtel (C), Olivier, (F.), Electromagnetic Analysis: Concrete Results.Springer-Verlag Lecture Notes in Computer Science,2162, pp. 251–261, 2001.
Matsumoto (T.), Gummy finger and paper iris — an update.Proceeding of workshop on information security research, Japan, 2004.
Glossary for theOasis Security Assertion Markup Language (Saml),Oasis, 2003.
LibertyId-ff Protocols and Schema Specification,Liberty Alliance, 2003.
LibertyId-ff Architecture Overview,Liberty Alliance, 2003.
Davida (G. I.),Frankel (Y.),Matt (B.), on enabling secure applications through off-line biometrie,Symposium on Security and Privacy, 1998.
Juels (A.),Wattenberg, (M.), A Fuzzy Commitment Scheme, In Proc.Acm Conf. Computer and Communications Security, pp. 28–36, 1999.
Juels (A.),Sudan (M), A fuzzy vault scheme,In Conference on Computer and Communications Security, 2002.
Linnartz (J.P.),Tuyls (P.), New Shielding Functions to Enhance Privacy and Prevent Misuse of Biometric Templates, InAvbpa, pp. 393–402, 2003.
Verbitskjy (E.),Tuyls (P.),Denteneer (D.),Linnartz (J. P.), Reliable Biometric Authentication with Privacy Protection,In Proc. 24th Benelux Symposium on Information theory, 2003.
Csirmaz (L.),Katona (G. O. H.), Geometrical Cryptography,In Proc. International Workshop on Coding and Cryptography, 2003.
Frykholm (N.),Juels (A.), Error-Tolerant Password Recovery, In Proc.Acm Conf. Computer and Communications Security, pp. 1–8, 2001.
Dodis (Y.), Reyzin (L.), Smith (A.), Fuzzy Extractors: How to generate strong keys from biometrics and other noisy data,Advances in Cryptology — Eurocrypt 2004, Lecture Notes in Computer Science,3027, pp. 523–540, 2004.
Shaltiel (R.), Recent developments in Explicit Constructions of Extractors. Bulletin of theEatcs,77, pp. 67–95, 2002
Ellison (C), Hall (C), Milbert (R.), Schneier (B.), Protecting Keys with Personal Entropy.Future Generation Computer Systems,16, pp. 311–318, 2000.
Monrose (F.),Reiter (M. K.),Wetsel (S.), Password hardening based on keystroke dynamics.In Conference on Computer and Communications Security, 1999.
TS 22.022 — Personalisation of Mobile Equipment (Me); Mobile functionality specification,3rd Generation Partnership Project, 2005.
Assertions and Protocol for theOasis Security Assertion Markup Language (Saml),Oasis, 2003.
Neimi (V),Nybero (K.),Umts Security,John Wiley & Sons, 2003.
Pfitzmann (B.), Waidner (M.), Analysis of Liberty Single-Signon with Enabled Clients,Ieee Internet Computing,7(6), pp. 38–44, 2003.
Gross (T.), Security Analysis of theSaml Single Sign-on Browser/Artifact Profile. 19th Annual Computer Security Applications Conference, 2003.
Eastlake (D.),Crocker (S.),Schiller (J.), Randomness Recommendations for Security,Ietf rfc, 1994.
Dimitriadis (C), Polemi (D.), Application of multi-criteria analysis for the creation of a risk assessment knowledgebase for biometric systems.Lecture Notes in Computer Science,3072,Springer-Verlag,, Hong Kong, China (2004) pp. 724–730
Biometrie Evaluation Methodology, Common Criteria Biometrie Evaluation Methodology Working Group, 2002.
Iso/iec 15408 Information technology — Security techniques — Evaluation criteria forIt security, 1999.
Cc-Protection Profile: us Government biometrie verification mode protection — profile for medium robustness environment, 2003.
Cc-Protection Profile: UK Biometrie Device — Draft, 2002.
LibertyId-ff Implementation Guidelines,Liberty Alliance, 2004.
LibertyId-ff Bindings and Profiles Specification,Liberty Alliance, 2003.
Microsoft Corp.:Microsoft .Net passport review guide, http://www.passport.net, 2004.
Kormann (D.), Rubin (A.), Risks of the Passport Single Signon Protocol.Computer Networks, Elsevier Science Press,33, pp51–58, 2000.
Wayman (J.),Mansfield (A), Best practices of testing and reporting performance of biometrie devices,Cesg, http://www.cesg.gov.uk/site/ast/biometrics/media/BestPractice.pdf, 2002.
Ist-1999-20078 Business environment of biometrics involved in e-commerce —Bee: Deliverable D6.2 Marketing & Business strategies, http://expertnet.net.gr/bee,Bee Consortium, 2002.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Dimitriadis, C.K., Polemi, D. Strong and privacy-friendly management of federated identities for service provision over UMTS. Ann. Télécommun. 61, 418–442 (2006). https://doi.org/10.1007/BF03219915
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF03219915
Key words
- Mobile radiocommunication
- Umts
- Identify management
- Privacy protection
- Internet service provider
- Biometrics
- e-commerce
- Internet
- Authentication
- Communication security
- 3G network