Customer/End User Identity and Authentication and Process to Determine TN Authorization for SHAKEN Attestation – Potential Methods
Doug Bellows – Inteliquent3/18/2019
CSCF
STI-AS
Identity header population/attestation/signing
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
Network-to-Network Interface
UA
STI-VS
CSCF
Verify signature, Originating SP Identity, Parameter integrity
UA of direct user/originating SP customer (customer is end-user)
Originating SP
Terminating SP
UA of Indirect end users
UAi
Defined by SHAKEN
Security services for customer UNI - defined outside of SHAKEN
UAi
UAi
UAi
Indirect end-user interface - proxy, b2bua, protocol adaptor, etc.
UA
UA of Reseller or VASP customer of Originating SP (customer may not be end user)
To analytics, display, terminating UNI call control, etc.
Source: Inteliquent, Inc.
3/18/2019
2
UNI Security Services for SHAKEN Attestation
Customer IdentityDetermine “real-world identity,” establish identifiers for UNI authenticationCustomer authenticationExchange credentials for UNI authentication (shared secrets, keys/certificates, IP ACLs/protected network paths, etc.), establish authenticated UNIAuthorization to use TNs (determine customer’s “association” to TN)Positive controls (e.g. screening database) or control by customer agreements and policy, if positive controls are used they are consulted per call
3/18/2019
Source: Inteliquent, Inc.
3
Possible Method for Exchanging Customer TN Authorizations between Assigning and Originating SPs
Originating SP AND assigning SP establish customer identityCustomer “real-world identity” determined e.g. by EV methodology, SPs authenticate customer’s right to the identity, e.g. by a PKI signature tied to an EV certificate. Customer identity must use a globally recognizable and verifiable identifier (e.g. X.509 DN or other unique and verifiable attribute).Customer authenticationOriginating SP bilaterally establishes and uses customer UNI credentials as usualAuthorization to use TNs (determine customer’s “association” to TN)Assigning SP provides a “letter of authorization” to originating SP declaring TN assignment to customer (signed digital document containing customer ID and list of assigned TNs). Originating SP populates TNs in “authorized TN” database
3/18/2019
Source: Inteliquent, Inc.
4
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity
TN Assignment
TN Assignment
Assigning SP Admin Plane
Identity proofing/credentials exchange
Identity proofing/credentials exchange
And/Or
CustID:TNAuth
Universally verifiable ID (e.g. EV certificate methods)
STI-AS
To IP-NNI
Standard UNI authentication and session setup
Source: Inteliquent, Inc.
3/18/2019
5
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity
TN Assignment
TN Assignment
Assigning SP Admin Plane
Identity proofing/credentials exchange
Identity proofing/credentials exchange
And/Or
CustID:TNAuth
Universally verifiable ID (e.g. EV certificate methods)
STI-AS
To IP-NNI
Standard UNI authentication and session setup
LoA(CustID:TNAuth)
Source: Inteliquent, Inc.
3/18/2019
6
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity (Reseller/VASP)
TN Assignment
TN Assignment
Assigning SP Admin Plane
Identity proofing/credentials exchange
Identity proofing/credentials exchange
And/Or
CustID:TNAuth
STI-AS
To IP-NNI
LoA(CustID:TNAuth)
Multiple Indirectend users
UAi
UAi
UAi
UAi
TN traces to customer – customer responsible for traceability to subtending end user entities
Indirect interface
Source: Inteliquent, Inc.
3/18/2019
7
Extending TN authorization exchange to indirect end users – administrative plane
Assigning SP Identifies and assigns TNs to end user entitySame type of identity proofing as for customer TN authorizationCustomer identifiesend user and provides end user identity to originating SPAssigning SP sendsLoAtied to end user identity (EuID) to originating SP. Originating SP populates an end-user authorization database and authorized TN database.
3/18/2019
Source: Inteliquent, Inc.
8
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity (Reseller/VASP)
TN Assignment
Assigning SP Admin Plane
Identity proofing/credentials exchange
EuID:TNAuth
STI-AS
To IP-NNI
EuIDCredentialsUAi
TN traces to end user entity, end user authorized by customer
Indirect End User Entity
EUAuthRequest (CustID:EuIDAuth)
CustID:EuIDAuth
LoA(EuID: TNAuth)
Source: Inteliquent, Inc.
3/18/2019
9
Extending TN authorization exchange to indirect end users – service plane
Customer authenticates end userChoices atcustomer UNI to originating SP:Proxy authentication (only customer authenticates EU and passesEuIDwith call) – problematic from a “spoof-ability” standpointCustomer passes through authentication transaction between EU and originating SP using shared credentials, or passes through signature with call (likeTNPoPbut certs tied toEuIDnot TN)Originating SP checksEuID:TNauthorization database for a match.
3/18/2019
Source: Inteliquent, Inc.
10
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
User-to-Network Interface
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity (Reseller/VASP)
EuID:TNAuth
STI-AS
To IP-NNI
EuIDCredentialsUAi
TN traces to end user entity, end user authorized by customer
Indirect End User Entity
CustID:EuIDAuth
Indirect interface
Pass-through authentication of EU more secure than proxy authentication
Source: Inteliquent, Inc.
3/18/2019
11
Other considerations
Customer TN authorization viaLoArequires only administrative plane changes, no change in service planeEnd-user authorization requires an additional authorization step (EuIDtoCustID) and an additional authentication relationship (EU to originating SP)Limits credentials that need to be exchanged in real timeIn exchange for TN authorization, end-user identity is exposed to additional parties (customer’s originating SPs) to assure traceability
3/18/2019
Source: Inteliquent, Inc.
12
Delegation
TN Assignee:CustomerCustomer’s customer(C2)Third-party assigneeEnd-user (entity originating the call):CustomerCustomer’s customer (Indirect end-user)Additional indirection levels (C3-n)
3/18/2019
Source: Inteliquent, Inc.
13
Delegation
Delegation (assignee delegates TN use to EU):C2to CustomerCustomer to C2Third-party to CustomerThird-party to C2Etc.Assigning SP would need to track delegation relationships and provide an additionalLoAindicating both the assignee and the EU authorized by the assigneeThere may be two (or more)LoAsfor the same TN, one for the assignee directly and one for each delegate, tied to different EU identities
3/18/2019
Source: Inteliquent, Inc.
14
CSCF
User IdentificationUser AuthenticationUser-to-TN Authorization
OriginatingSP Admin and Service Planes
CustIDCredentialsUA
Customer Entity (Reseller/VASP)
TN Assignment
Assigning SP Admin Plane
Identity proofing/credentials exchange
3P->EuID:TNAuth
STI-AS
To IP-NNI
EuIDCredentialsUAi
Indirect End User Entity
EUAuthRequest (CustID:EuIDAuth)
CustID:EuIDAuth
LoA(3P->EuID: TNAuth)
Source: Inteliquent, Inc.
3/18/2019
3rdparty assignee
EuID:TNAuth
15
Takeaways
Authenticating customers and end users removes some of the ambiguity of relying on the TN identifier by itself and requires fewer credentialsRequires a consistent identity scheme for TN assignees and service usersMoves the complexity of authorization management to the administrative plane – fewer changes to the service plane
3/18/2019
Source: Inteliquent, Inc.
16
0
Embed
Upload