Advertisement

A Practical Trust Framework: Assurance Levels Repackaged Through Analysis of Business Scenarios and Related Risks

  • Masatoshi Hokino
  • Yuri Fujiki
  • Sakura Onda
  • Takeaki Kaneko
  • Natsuhiko Sakimura
  • Hiroyuki Sato
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9497)

Abstract

In cyberspace, standards for the expression of the trustworthiness of identities have been developed by various parties. This trustworthiness is often referred to as entity authentication assurance, and its degree is often called LoA (levels of assurance, or assurance levels). There are two prominent LoA standards: NIST SP800-63-2 and ISO/IEC 29115:2013. LoAs are designed to express different levels of assurance. Multiple viewpoints are set in assessment, and related assessment criteria for each viewpoint are packaged into one LoA. For deployment of LoAs in enterprise business scenarios, the choice of assessment criteria in a given LoA must match the specific business requirements. We perform a field survey on business scenarios in which trust in identities is a major problem. In the survey, we focus on two key factors of assessment: identity proofing and authentication process. In addition, we observe the overall fit and gap in business scenarios. Results indicate that raising the assurance of the authentication process is effective for raising the overall assurance level. Based on the investigations performed, we repackage light weight identity proofing and LoA 2 equivalent credential management and usage into a new assurance level, LoA 1+, for the “right” cost benefit balance.

Keywords

Identity Document Authentication Process Reputation Model Identity Provider Independent Audit 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Akerlof, G.A.: The market for “lemons”: quality uncertainty and the market mechanism. Q. J. Econ. 84(3), 488–500 (1970)CrossRefGoogle Scholar
  2. 2.
    Baldwin, A., Mont, M.C., Beres, Y., Shiu, S.: On Identity assurance in the presence of federated identity management systems. In: Proceedings of the International ACM Workshop on Digital Identity Management 2007, pp. 27–35 (2007)Google Scholar
  3. 3.
    Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., Nabbus, E.A.: Electronic Authentication Guidance. NIST SP 800–63-2 (2013)Google Scholar
  4. 4.
    Cabinet of Japan: Guideline for Risk Analysis, Digital Signing, and Authentication for On-line Applications and Processing (2010) (in Japanese). http://www.kantei.go.jp/jp/singi/it2/guide/guide_line/guideline100831.pdf
  5. 5.
    Coats, B., Acharya, S.: The forecast for electronic health record access: partly cloudy. In: Proceedings of the IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, pp. 937–942 (2013)Google Scholar
  6. 6.
    Federal Identity, Credential, and Access Management Trust Framework Solutions: Trust Framework Provider Adoption Process (TFPAP) For All Levels of Assurance (2014). http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf
  7. 7.
  8. 8.
    InCommon: The inCommon Assurance Program. http://www.incommon.org/assurance/
  9. 9.
    ISO: ISO/IEC 29115:2013, Entity authentication assurance framework (2013)Google Scholar
  10. 10.
    ITU-T: Recommendation X.1254, Entity authentication assurance framework (2012)Google Scholar
  11. 11.
    Japanese Bankers Association: FY2013 Financial Statements of All Banks (2014)Google Scholar
  12. 12.
    Kantara: Identity Assurance. https://kantarainitiative.org/idassurance/
  13. 13.
    Noor, A.: Identity protection factor (IPF). In: Proceedings of the IDtrust 2008, pp. 8–18 (2008)Google Scholar
  14. 14.
    NSTIC: National Strategy for Trusted Identities in Cyberspace. http://www.nist.gov/nstic/
  15. 15.
    OASIS: Electronic Identity Credential Trust Elevation Framework V 1.0 (2014). http://docs.oasis-open.org/trust-el/trust-el-framework/v1.0/trust-el-framework-v1.0.pdf
  16. 16.
    Office of Management and Budget: M-04-04: E-Authentication Guidance for Federal Agencies (2003)Google Scholar
  17. 17.
    Sato, H.: N \(\pm \epsilon \): reflecting local risk assessment in LoA. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2009, Part II. LNCS, vol. 5871, pp. 833–847. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  18. 18.
    Sato, H.: A formal model of LoA elevation in online trust. ASE Sci. J. 1(4), 166–178 (2012)Google Scholar
  19. 19.
    Slomovic, A.: Privacy issues in identity verification. IEEE Secur. Priv. 12, 71–73 (2014)CrossRefGoogle Scholar
  20. 20.
    The General Insurance Association of Japan: Income Statement (2015) (in Japanese)Google Scholar
  21. 21.
    The Life Insurance Association of Japan: Life Insurance Fact Book 2014 (2014) (in Japanese)Google Scholar
  22. 22.
    The Ministry of Economy, Trade and Industry: 2013 Survey of Selected Service Industries (2014) (in Japanese)Google Scholar
  23. 23.
    The Ministry of Economy, Trade and Industry: Digital Content White Paper 2014 (2014) (in Japanese)Google Scholar
  24. 24.
    The Ministry of Economy, Trade and Industry: Market Research on Electronic Commerce 2015 (2015) (in Japanese). http://www.meti.go.jp/press/2015/05/20150529001/20150529001-3.pdf
  25. 25.
    The Ministry of Internal Affairs and Communications: White Paper on Information and Communications in Japan (2014) (in Japanese)Google Scholar
  26. 26.
    The Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry: 2012 Economic Census for Business Activity (2012) (in Japanese)Google Scholar
  27. 27.
    The National Police Agency (2010–2015) (in Japanese). https://www.npa.go.jp/cyber/statics/h2\(\{\)2-6\(\}\),/pdf041.pdfGoogle Scholar
  28. 28.
    Third Networks Co.: JOGA Security System for On-line Games and Smartphone Games (2011) (in Japanese). http://www.jssec.org/dl/111117_4_amemiya.pdf
  29. 29.
    Thomas, I., Meinel, C.: An attribute assurance framework to define and match trust in identity attributes. In: Proceedings of the 2011 IEEE International Conference on Web Services, pp. 580–587 (2011)Google Scholar
  30. 30.
    Yong, J., Bertino, E.: Digital identity enrolment and assurance support for VeryIDX. In: Proceedings of the 14th International Conference on Computer Supported Cooperative Work in Design, pp. 734–739 (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Masatoshi Hokino
    • 1
  • Yuri Fujiki
    • 1
  • Sakura Onda
    • 1
  • Takeaki Kaneko
    • 1
  • Natsuhiko Sakimura
    • 2
  • Hiroyuki Sato
    • 3
  1. 1.JIPDECTokyoJapan
  2. 2.Nomura Research InstituteTokyoJapan
  3. 3.The University of TokyoTokyoJapan

Personalised recommendations