ETRI-Knowledge Sharing Plaform

표준안 검색
표준화기구 연도 ~


Enhanced entity authentication based on aggregated attributes

나재훈, 나중찬, 진승헌
ITU-T X.1258
16MH1300, 사이버·물리시스템에서의 물리적 단방향 보안 게이트웨이 개발, 나중찬
Aggregating attributes from multiple attribute authorities may be needed in order to enable a relying party to enhance its trust in the identity of a party. The aggregation can be regarded as having to deal with a collection of globally unique identifiers, which is common across all attribute authorities. Practically, entities do not have a global identifier but have different entity identifiers and attributes assigned by their various identity service providers (IdSPs).

To address the attribute aggregating problem in this scenario, the concept of identity federation is used. For example, if an e-book store plans to have a sale for seniors, the store has to be given the aggregated set of attributes (credit card and age bracket) from two IdSPs, but without the IdSPs knowing about each other's involvement. In standard federated identity management, an entity can only provide attributes from one identity, but this transaction requires attributes from two. There are several identity federation methods such as security assertion markup language (SAML), Shibboleth [b-Shibboleth], open identity (OpenID), and open authentication (OAuth), etc.

Recommendation ITU-T X.1258 introduces the concept of attribute aggregation to allow an entity to aggregate attributes from multiple IdSPs. Attribute aggregation is the mechanism of collecting attributes of an entity retrieved from multiple identity service providers. Attribute aggregation is needed to aggregate the attributes dynamically on demand. IdSP can realize the aggregation request when an entity wants to get a service. Further on, an entity-centric attribute aggregation mechanism could also be applied to the authentication for mitigating privacy leakage.