Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doug Bellows – Inteliquent 3/18/2019

Published byJocelyn Atkins Modified over 5 years ago

Similar presentations

Presentation on theme: "Doug Bellows – Inteliquent 3/18/2019"— Presentation transcript:

1 Doug Bellows – Inteliquent 3/18/2019
Customer/End User Identity and Authentication and Process to Determine TN Authorization for SHAKEN Attestation – Potential Methods Doug Bellows – Inteliquent 3/18/2019

2 Source: Inteliquent, Inc.
Originating SP Terminating SP Security services for customer UNI - defined outside of SHAKEN Indirect end-user interface - proxy, b2bua, protocol adaptor, etc. User Identification User Authentication User-to-TN Authorization To analytics, display, terminating UNI call control, etc. UA of direct user/originating SP customer (customer is end-user) UA of Indirect end users STI-AS STI-VS Identity header population/attestation/signing Verify signature, Originating SP Identity, Parameter integrity UA UAi Defined by SHAKEN UAi UA UAi UA of Reseller or VASP customer of Originating SP (customer may not be end user) CSCF CSCF UAi User-to-Network Interface Network-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

3 UNI Security Services for SHAKEN Attestation
Customer Identity Determine “real-world identity,” establish identifiers for UNI authentication Customer authentication Exchange credentials for UNI authentication (shared secrets, keys/certificates, IP ACLs/protected network paths, etc.), establish authenticated UNI Authorization to use TNs (determine customer’s “association” to TN) Positive controls (e.g. screening database) or control by customer agreements and policy, if positive controls are used they are consulted per call 3/18/2019 Source: Inteliquent, Inc.

4 Source: Inteliquent, Inc.
Possible Method for Exchanging Customer TN Authorizations between Assigning and Originating SPs Originating SP AND assigning SP establish customer identity Customer “real-world identity” determined e.g. by EV methodology, SPs authenticate customer’s right to the identity, e.g. by a PKI signature tied to an EV certificate. Customer identity must use a globally recognizable and verifiable identifier (e.g. X.509 DN or other unique and verifiable attribute). Customer authentication Originating SP bilaterally establishes and uses customer UNI credentials as usual Authorization to use TNs (determine customer’s “association” to TN) Assigning SP provides a “letter of authorization” to originating SP declaring TN assignment to customer (signed digital document containing customer ID and list of assigned TNs). Originating SP populates TNs in “authorized TN” database 3/18/2019 Source: Inteliquent, Inc.

5 Source: Inteliquent, Inc.
Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange CustID:TN Auth Universally verifiable ID (e.g. EV certificate methods) Customer Entity Cust ID Credentials UA User Identification User Authentication User-to-TN Authorization Standard UNI authentication and session setup STI-AS CSCF To IP-NNI User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

6 Source: Inteliquent, Inc.
Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange LoA (CustID:TN Auth) CustID:TN Auth Universally verifiable ID (e.g. EV certificate methods) Customer Entity CustID Credentials UA User Identification User Authentication User-to-TN Authorization Standard UNI authentication and session setup STI-AS CSCF To IP-NNI User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

7 Source: Inteliquent, Inc.
Assigning SP Admin Plane And/Or Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment TN Assignment Identity proofing/credentials exchange LoA (CustID:TN Auth) CustID:TN Auth Multiple Indirect end users Customer Entity (Reseller/VASP) CustID Credentials UA User Identification User Authentication User-to-TN Authorization UAi UAi UAi STI-AS UAi Indirect interface CSCF To IP-NNI TN traces to customer – customer responsible for traceability to subtending end user entities User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

8 Source: Inteliquent, Inc.
Extending TN authorization exchange to indirect end users – administrative plane Assigning SP Identifies and assigns TNs to end user entity Same type of identity proofing as for customer TN authorization Customer identifies end user and provides end user identity to originating SP Assigning SP sends LoA tied to end user identity (EuID) to originating SP. Originating SP populates an end-user authorization database and authorized TN database. 3/18/2019 Source: Inteliquent, Inc.

9 Source: Inteliquent, Inc.
Assigning SP Admin Plane Originating SP Admin and Service Planes Identity proofing/credentials exchange TN Assignment LoA (EuID: TN Auth) CustID:EuID Auth EuID:TN Auth Indirect End User Entity Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi User Identification User Authentication User-to-TN Authorization EU Auth Request (CustID:EuID Auth) STI-AS CSCF To IP-NNI TN traces to end user entity, end user authorized by customer User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

10 Source: Inteliquent, Inc.
Extending TN authorization exchange to indirect end users – service plane Customer authenticates end user Choices at customer UNI to originating SP: Proxy authentication (only customer authenticates EU and passes EuID with call) – problematic from a “spoof-ability” standpoint Customer passes through authentication transaction between EU and originating SP using shared credentials, or passes through signature with call (like TNPoP but certs tied to EuID not TN) Originating SP checks EuID:TN authorization database for a match. 3/18/2019 Source: Inteliquent, Inc.

11 Source: Inteliquent, Inc.
Originating SP Admin and Service Planes CustID:EuID Auth EuID:TN Auth Indirect End User Entity Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi User Identification User Authentication User-to-TN Authorization Pass-through authentication of EU more secure than proxy authentication STI-AS Indirect interface CSCF To IP-NNI TN traces to end user entity, end user authorized by customer User-to-Network Interface 3/18/2019 Source: Inteliquent, Inc.

12 Source: Inteliquent, Inc.
Other considerations Customer TN authorization via LoA requires only administrative plane changes, no change in service plane End-user authorization requires an additional authorization step (EuID to CustID) and an additional authentication relationship (EU to originating SP) Limits credentials that need to be exchanged in real time In exchange for TN authorization, end-user identity is exposed to additional parties (customer’s originating SPs) to assure traceability 3/18/2019 Source: Inteliquent, Inc.

13 Source: Inteliquent, Inc.
Delegation TN Assignee: Customer Customer’s customer (C2) Third-party assignee End-user (entity originating the call): Customer’s customer (Indirect end-user) Additional indirection levels (C3-n) 3/18/2019 Source: Inteliquent, Inc.

14 Source: Inteliquent, Inc.
Delegation Delegation (assignee delegates TN use to EU): C2 to Customer Customer to C2 Third-party to Customer Third-party to C2 Etc. Assigning SP would need to track delegation relationships and provide an additional LoA indicating both the assignee and the EU authorized by the assignee There may be two (or more) LoAs for the same TN, one for the assignee directly and one for each delegate, tied to different EU identities 3/18/2019 Source: Inteliquent, Inc.

15 Source: Inteliquent, Inc.
Assigning SP Admin Plane Originating SP Admin and Service Planes TN Assignment Identity proofing/credentials exchange LoA (3P->EuID: TN Auth) EuID:TN Auth CustID:EuID Auth 3rd party assignee 3P->EuID:TN Auth Indirect End User Entity User Identification User Authentication User-to-TN Authorization Customer Entity (Reseller/VASP) CustID Credentials UA EuID Credentials UAi STI-AS CSCF To IP-NNI EU Auth Request (CustID:EuID Auth) 3/18/2019 Source: Inteliquent, Inc.

16 Source: Inteliquent, Inc.
Takeaways Authenticating customers and end users removes some of the ambiguity of relying on the TN identifier by itself and requires fewer credentials Requires a consistent identity scheme for TN assignees and service users Moves the complexity of authorization management to the administrative plane – fewer changes to the service plane 3/18/2019 Source: Inteliquent, Inc.

Download ppt "Doug Bellows – Inteliquent 3/18/2019"

Similar presentations

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -

Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Similar presentations

Ads by Google