Enhanced entity authentication based on aggregated attributes
- Contributors
-
Nah Jae Hoon, Na Jung-Chan, Jin Seung Hun
- Year
- 2016
- Standard Body
- ITU
- Standard No.
- ITU-T X.1258
- Source Link
-
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=12850
- Project Code
-
16MH1300, Unidirectional Security Gateways developments in cyber-physical systems,
Na Jung-Chan
- Abstract
- Aggregating attributes from multiple attribute authorities may be needed in order to enable a relying party to enhance its trust in the identity of a party. The aggregation can be regarded as having to deal with a collection of globally unique identifiers, which is common across all attribute authorities. Practically, entities do not have a global identifier but have different entity identifiers and attributes assigned by their various identity service providers (IdSPs).
To address the attribute aggregating problem in this scenario, the concept of identity federation is used. For example, if an e-book store plans to have a sale for seniors, the store has to be given the aggregated set of attributes (credit card and age bracket) from two IdSPs, but without the IdSPs knowing about each other's involvement. In standard federated identity management, an entity can only provide attributes from one identity, but this transaction requires attributes from two. There are several identity federation methods such as security assertion markup language (SAML), Shibboleth [b-Shibboleth], open identity (OpenID), and open authentication (OAuth), etc.
Recommendation ITU-T X.1258 introduces the concept of attribute aggregation to allow an entity to aggregate attributes from multiple IdSPs. Attribute aggregation is the mechanism of collecting attributes of an entity retrieved from multiple identity service providers. Attribute aggregation is needed to aggregate the attributes dynamically on demand. IdSP can realize the aggregation request when an entity wants to get a service. Further on, an entity-centric attribute aggregation mechanism could also be applied to the authentication for mitigating privacy leakage.