The Federated Provisioning Problem

(Just dumping some projects results on this blog... ) We contributed to a study for SURFnet on identity provisioning in the context of identity federations last year. My colleague Bob Hulsebosch presented about this on TNC11 (fast forward the video stream to 65'46").

Provisioning is the process of providing a set of deployed applications and/or services with updates of end-user identity information. Provisioning takes place, for instance, when new users enter an organization, when new authorization rights are assigned to users, or when they leave the organization (the latter case is usually referred to as deprovisioning).

Provisioning has been recognized as an essential part of the identity management stack. Provisioning drives the other activities that are typically related to identity administration and management. An important driver for provisioning in the more traditional enterprise setting is compliance to rules and regulations. A major obstacle to wider adaptation of provisioning is the lack of widely agreed upon standards.

While provisioning is a non-trivial problem in many enterprise organizations, the problem gets worse still in the setting of identity federations as these involve cross-domain identity communication, and, more recently, dynamic services to enable complex collaboration forms such as virtual organizations. The drivers for adaption of provisioning standards in the world of identity federations may be different from those in the enterprise setting, the problem is equally of more important.

At the same time, some researchers think federation may be part of the solution and introduce so-called just-in-time-provisioning which uses federation-style information interchange standards instead of the more traditional provisioning standards as seen in the enterprise domain.

The report gives a state-of-the-art analysis of provisioning products and standards and of the, still ongoing, federated provisioning debate. It classifies different types of applications and different types of provisioning scenarios in order to come up with a framework, which is helpful when selecting a strategy for dealing with federated provisioning. The results are validated by exploring (at a suitable level of abstraction) a case study on dynamic group management.

SMS text authentication for patient access to Dutch electronic health record

The encryption algorithm A5/1 used in GSM has been suspect since at least 1994 (when the algorithm leaked). Nohl's talk at 26C3 (November 2009) demonstrates that a practical attack will become possible soon. And all of a sudden people start to get nervous in 2010.

As a follow-up to their report for the Dutch Ministry of Health Radboud University and PriceWaterhouseCoopers recently published a risk assessment focusing on GSM based SMS text authentication as a factor to strengthen the Dutch government citizen-to-government authentication solution DigiD.

SMS text authentication is already used in DigiD level 2, but the binding of a user's subscriber number to their DigiD is rather weak: anyone with access to the mailbox of the user's registered home address (the so-called GBA address) can bind a new mobile phone to the user's existing DigiD account (and subsequently order a password reset, completely hijacking the account). The original report by RU, PWC and TILT recommended to strengthen this binding process so that a patient would have to prove possession of a subscriber number to a government representative face-to-face. The strengthened DigiD (known as EPD-DigiD) can then be used by patients to access their electronic health record in a standard SMS OTP authentication scenario (during a session the user has an extra factor with a separate network connection to the provider).

The conclusion of the RU/PWC risk analysis is that although breaking A5/1 leaves SMS authentication relatively secure (the risk of actual abuse is not that high) the perceived lack of security in the public opinion and the non-compliance with security standards may be damaging to the reputation to the government. The solution is not secure enough to allow patients to access their health records at this point in time.

What I don't get is the proposed solution: a conversion table (on paper) sent to each user over regular snail mail (how secure is that?). The user uses this table to manually translate the code that was sent in an SMS message before entering it in the browser's form. This appears not to add an extra factor: an attacker that can eavesdrop on the Web channel and the GSM channel will soon learn the mapping. Also from a user experience perspective that sounds horrible.

An alternative approach would be to install a SIM toolkit applet on the SIM which performs the translation automatically for the user. Rather than a static table per user one can even use a key (but with a decent cipher; I'm sure the current generation of SIMs in the field support AES or at least 3DES) and have real security. Sort of a light-weight-Mobile-PKI-without-the-PKI solution.

NFC phones

It's 2010. The NFC revolution should have happened by now.

I know this is a classical bootstrap problem: why offer services if consumers don't own NFC handsets, why produce NFC handsets if nobody offers services?

And then there are problems with the business model, there are cultural differences between banks and mobile operators, etc. There was a problem of the location of the secure element (SE): either embedded in the device (owned by the manufacturer), or on the SIM (owned by the operator). I think the mobile operators won.

Oh, and there have been countless trials and pilots.

So where are the new handsets? Below is my list of annotated bookmarks.

• Nokia has an NFC shell (2005) that can be strapped onto the Nokia 3220.
• Samsung has its SGH-X700N (2006).
  
• Nokia's clamshell model, the Nokia 6131-NFC (2007), and bar model, Nokia 6212 classic (2008) are pretty popular. These S40 devices have a dedicated SE embedded into the handset.
• There's a nice list of handsets over at NFC Research in Hagenberg, including models by Sagem, LG, and Motorola (2008?).
• LG seems to have had an LG KU380-NFC handset with NFC support based on an STMicroeletronics chip.
  
• Nokia announced the Nokia 6216 classic (2009) which was supposed to support an SE on the SIM (via SWP). But this model has been killed now.
• Mobile-ecosystem found that Samsung and LG have new NFC enabled smart phones (2010).
• Samsung developed an NFC version of its S5230 smart phone for use in trials.
  
• And let's hope the rumors about Apple's iPhone4G are true.

(I should have checked Wikipedia before I compiled that list, theirs is a superset of mine. Never mind.)

But maybe a different strategy is needed while we wait for the handset revolution: strap something onto an ordinary smart phone to NFC-enable it.

• A sticker with a dumb RFID tag. Only tag emulation, so no smart poster support. But it should be enough for the most popular use case (proximity payment without asking for user consent).
• A sticker with a smart tag which communicates with the handset over Bluetooth.
• A MicroSD card such as the one by Giesecke & Devrient and the one by First Data and Tyfone.