1
`
`Service Interaction through Role based Identity
`
`Mohammad M. R. Chowdhury1 and Josef Noll1, 2
`
`1UniK, N-2027 Kjeller, Norway, Telenor R&D, N-1331 Fornebu, Norway 2
`
`
`
`mohammad@unik.no, josef@unik.no
`
`Abstract— A critical issue in the digital world is the simple
`and hassle free interaction of services through an identity of
`individual without using large number of physical identities
`and usernames/passwords. Such an identity system is expected,
`from where, people can retrieve any of the identities necessary
`to access every available service with adequate security.
`Success of such identity depends on its usability in the current
`and probable future wireless technology. Authentication is
`another important issue for acceptance of this system.
`This paper proposes a concept of identity mechanism
`through which individuals can exercise exactly the similar real
`world roles in the digital world. The concept enhances the
`privacy of individual by minimum disclosure of identifying
`information. It focuses on the possible use of widely accepted
`mobile phone technology to authenticate user to such identity
`system and to interact services through it.
`
`Index Terms— Authentication mechanism, role based
`identity, service interaction.
`
`INTRODUCTION
`I.
`Identification is necessary to access various value added
`services from service providers. Interactions of these
`services are required to play certain roles of human being in
`life. Physical identities cannot be used while accessing
`services in the digital world. Moreover, different types of
`services require different types and forms of identifications.
`To make the service access simple, easy and hassle-free, a
`unique identity entity is required from where user can
`retrieve the appropriate type of identification. Mobile phone
`penetration is expected to reach 100% in many of the
`European countries [1]. It has become a foremost electronic
`device for communication worldwide because of
`its
`mobility and seamless and secure access provision to
`networks. Therefore, we focus on accessing the proposed
`identity
`and hence,
`services
`through SIM
`card
`authentication. The proposed identity mechanism has the
`potential to replace all the present physical identities,
`usernames and passwords.
`The paper will first postulate the need for a role based
`identity and illustrate its proposed generic architecture. It
`will then address the security aspect of this identity and
`justify why mobile phone has the potential to serve as an
`identifier. The next section will discuss how service
`interactions through role based identity will be realized. The
`paper will provide a critical analysis on different aspects of
`proposed role based identity concept and conclude with the
`review of main points and comments on future research.
`
`II. HUMAN ROLES IN LIFE
`Every human being plays numerous roles in life to live.
`As a student, we are attending an education institute; as a
`researcher or engineer, we are working in a company; as a
`consumer, we are buying things with cash or credits; we are
`maintaining social relationships with family, relatives,
`neighbors and colleagues. While exercising these roles in
`life, we are interacting with many service providers to
`receive different
`types of services. Analyzing
`these
`scenarios, it can be said that every human being plays roles
`basically in three different areas, personal, professional and
`social areas. Therefore in reality, leading everyday life is
`nothing but playing some personal roles, professional roles
`and social roles.
`
`III. FROM REAL WORLD TO DIGITAL WORLD
`To carry out these personal, professional and social roles,
`an individual needs to interact with many other people and
`many interfaces of numerous service points in the real
`world. During these interactions, we need to present our
`identifications to others that represent our identity in this
`world. Now-a-days, people are carrying a good number of
`physical identities, for example, passport/personal ID, credit
`cards, bank cards, student card, office ID, driving license
`etc. with them. In addition to these, a bunch of usernames
`and passwords are used everyday for identification to access
`many web sites and other electronic services which is very
`troublesome. Everyday, more and more real life services are
`available digitally. So, we are heading into an extremely
`worrisome world of identification. A unique identity
`mechanism needs to be developed in the digital realm where
`individuals would be able to control and manage their
`various digital profiles, assigning the appropriate attributes
`to each according to their context. In real world, it is
`difficult to selectively verify or reveal portions of one's
`identity: most
`forms of
`identification contain more
`information than is needed for any transaction. The identity
`system must disclose the least identifying information
`possible, as it ensures the least possible damage in the event
`of a breach. It needs to be addressed while designing a
`unique identity mechanism. We are now thinking of such a
`system where every real life services are available digitally
`and can be accessed from anywhere by using digital
`identifications. Individuals need to practice the similar roles
`in the digital world that they are currently practicing in the
`
`CARDWARE EXHIBIT 2031, Page 1 of 5
`SAMSUNG V. CARDWARE PGR2023-00013
`
`

`

`phone SIM card, will possess our proposed identity. To
`enhance the security for service interactions, like, financial
`transactions, SIM card will hold some of the identifiers that
`require stringent security requirements. Therefore, SIM card
`is also a part of “Mydigital identity” only to interact some
`specific services. We are proposing that “My digital
`identity” can be accessed either by our very personal mobile
`phone (priority) or by our PC through fixed internet
`connection (optional). SIM card of the mobile phone will
`automatically identify us as the owner of “My digital
`identity”.
`
`V. SECURITY ASPECTS
`
`Ensuring security to these identities (especially while
`doing financial transactions) is a burning issue, considering
`the fact that we are proposing to place part of this identity
`repository in the network that is vulnerable to electronic
`attack. It has been proposed in this paper that our mobile
`phone will act as the primary device to access “My digital
`identity”. In addition to this, a part of the identity will be
`stored in mobile phone SIM card. Here, it is assumed that
`the user has the provision for ‘always-on’ facility in his/her
`mobile phone. Fig.2 illustrates different levels of security
`against their security requirements.
`Through a nice to know[3] authentication mechanism,
`user can access “My digital identity” and, through a need to
`
`Services
`
`Bank transactions
`
`Messenger, email,
`Intranet
`
`Network access
`
` A
`
`to
`know \
`
`Need to
`know
`
`Requirements
`
`
`
`
`
`real world. Therefore, a role based digital
`proposedin this contribution.
`
`identity is
`
`IV. GENERIC ARCHITECTURE OF ROLE BASED
`IDENTITY
`
`Human roles already have been divided into three
`different areas, such as, personal, professional and social
`roles. In this article, we are proposing a concept of “My
`digital
`identity” that can be divided into ‘My personal
`identity (PID)’. ‘My corporate identity (CID)’ and ‘My
`social identity (SID)’ that would represent ourselves and our
`relevant real life roles to the digital world. ‘My personal
`identity’ can be used to identify ourselves in our personal
`and commercial
`interactions. Similarly,
`‘My corporate
`identity’ and ‘My social
`identity’ can be used in our
`professional and interpersonal
`interactions respectively.
`Each of these three identities will have several identifiers.
`Each identifier will be used to access several relevant
`services and a number ofattributes will characterize an
`identifier (see fig.1).
`Attributes are those set of characteristics of an identifier
`
`
`
`Fig. 1. Architecture of“Mydigital identity”.
`
`that are required by the service providers during service
`interactions. For example, passport can be one of the
`identifiers and name, date of birth. date of issue, date of
`expiry, the country that issued the passport, passport number
`etc. can be its attributes. The passport that is in fact a
`personal identity will be used to deal with governments
`electronically. Similarly, another identifier will be used to
`get access to financial services,
`like, buying something
`through credit cards. Attributes of such identifiers are name
`of the person who holds the credit card (may be optional),
`numberof the card, pin code, date of expiry etc. My PID
`might have some more identifiers to access our home
`premises, home network or VPNetc. In the same way, My
`CID and My SID will have several such identifiers and
`attributes. My CID might hold the identifiers to access our
`office premises, office LAN/VPN etc. According to Dick
`Hardt, individual’s interests, fondness, preferences or tastes
`are also part of his/her identity [2]. In the proposed identity
`model, these features will also be dealt with by My SID.It
`will also include my calendar, my address book, and
`identifiers for accessing my email, messenger, IP telephony
`etc. Each identifier will contain only the required identifying
`information that a service provider needs to know. Each
`identifier will be used to access one or several relevant
`services. “My digital identity” thus, ensures the minimum
`disclosure of identifying information. This is how; an
`identity repository (“My digital identity’’) that will be placed
`partly in the network environment and partly in mobile
`
`Fig. 2. Security infrastructure based on security requirements.
`know[3] authentication mechanism, user can access most
`other services, such as, accessing messenger
`(msn or
`yahoo), my address book, IP telephone (skype, voipstunt,
`telenor etc.), e-mail account; accessing home or office
`premises etc. using appropriate identifiers of My PID, My
`CID or MySID.Nice to knowservices are network access,
`where knowledge about usage is only required. Need to
`Knowservices have higher security requirements. Highest
`security requirements are required for have to know[3]
`services. Users have to be authenticated through a have to
`knowauthentication mechanism to use the identifiers that
`are required to access financial services, such as, bank,
`credit card etc. Here, we are proposing to deploy the have to
`knowauthentication mechanism in SIM card, whichis a part
`of “Mydigital identity”. It will significantly minimize the
`possibility of disclosure of identities for financial services,
`in case there are electronic attacks on network contents of
`“My digital identity”. To further enhance the privacy of
`attribute entries of the legitimate owner, identifiers of the
`above mentioned IDs will be visible to the owner but the
`
`CARDWAREEXHIBIT 2031, Page 2 of 5
`SAMSUNG V. CARDWARE PGR2023-00013
`
`

`

`attribute entries will not be. Owner can edit and add or
`delete the contents in the edit mode.
`
`VIL. SERVICE INTERACTION THROUGH ROLE
`BASED IDENTITY
`
`VI. EXTENDED SIM CARD AUTHENTICATION
`
`Currently, the SIM card provides the nice to knowaccess
`to network. We propose that the SIM card authentication
`will also be enough to enter “My digital identity”. The
`higher security requirements that need to knowservices may
`require might
`also be
`satisfied through SIM card
`authentication [3]. This is because, the SIM card in the
`mobile phone has the capability to provide all levels of
`authentication, and support mechanisms for revocation of
`credentials stored in the SIM card [4]. It is only active if
`authenticated by the network operator. If it gets stolen, the
`operator can disable the card. SIM card opens
`for
`authentication and encryption in every wireless network
`(Bluetooth, WLAN, WiMAX) in addition to GSM and
`UMTS[4]. So, SIM card enables authentication mechanism
`to interact different
`services will
`certainly give
`a
`technological edge to the development of future wireless
`technologies and services. By placing the identity repository
`in the network, we are reducing the volumeofdata transfer
`from mobile phone to network.
`In consequence,
`the
`additional data transfer due to the use of such system will
`leave a very little effect on the capacity ofair interface.
`As
`proposed,
`the
`save
`to
`know authentication
`mechanisms will be realized in SIM card.It will then act as
`one of the identifiers of “My digital
`identity”. We are
`introducing an extended SIM card (ESIM) that has the
`capability to hold multiple credentials. One will be
`responsible to access the network,
`thereby the network
`entity of proposed “My digital identity” and another one
`will store the have to knowauthentication mechanisms.
`Fig.3 shows the scenario of extended SIM (ESIM) card
`authentication in “My digital identity”.
`Thus, ESIM will also be a part of “My digital identity”
`
`which will not be placed in network.
`
`Fig. 3. The have to know authentication mechanism is in ESJM.
`
`Services have to be accessed through either of the IDs
`(PID, CID or SID) and their identifiers proposed. Identifiers
`and attributes can be added according to the user’s service
`requirements. Owner of “My digital
`identity” can also
`include his/her own interests, fondness, preferences, address
`book, calendar in My SID.Therefore, personalization is an
`essential feature in such identity mechanism. User can
`control which of the attributes he/she wants to reveal while
`interacting services. These can make “Mydigital identity” a
`very much wsercentric. The data always flows from/through
`the identity with user’s consent. There are mutual trust
`relationships between this identity repository and the service
`provider’s websites or contents [5]. Therefore, disclosure of
`identifying relationship is limited to parties having trust
`relationships with “My digital identity”. A model service
`interaction scenario can be established through “My digital
`identity”. Somebody wants buy air ticket using his/her credit
`card from Lufthansa. The action is performed through the
`following steps (see fig.4):
`1) “My digital identity” is accessed from mobile phone.
`2) Lufthansa.de is accessed and request is made to buy an
`
`air ticket.
`
`Fig. 4. Purchase ofair ticket by “My digital identity”.
`
`3) Lufthansa.de asks for credit card identity from “My
`digital
`identity” for payment. At
`this point,
`the
`payment
`requires
`the
`use of have
`to
`know
`authentication mechanism from owner’s mobile phone
`SIM card (ESIM). SIM card performs the necessary
`authentication and returmms a paymentreceipt.
`4) “Mydigital identity” sends the receipt to Lufthansa.de.
`5) Lufthansa.de checksthis receipt of payment with credit
`card authority, for example, VISA for validation.
`This is how; a person can buy air ticket from airlines
`websites using his/her digital
`identity repository. Any
`identifier with all its attributes can be downloaded from
`“Mydigital identity” and stored temporarily at the memory
`of SIM to transfer users’ credentials through Bluetooth or
`from NFC enabled phone to other NFC enabled devices [3].
`[6]. This is how, “My digital
`identity’ can be used
`anywhere, anytime and can be transferred to any device
`which can be used to enable seamless user experience.
`
`CARDWAREEXHIBIT 2031, Page 3 of 5
`SAMSUNG V. CARDWARE PGR2023-00013
`
`

`

`
`
`4
`
`VIII. CRITICAL ANALYSIS
`The proposed identity mechanism conforms to the
`fundamental principles of Kim Cameron’s “The Laws of
`Identity” [7]. In this concept, user controls how much
`identifying information it would reveal to the service
`providers. As the services are accessed through relevant
`identity (PID, CID or SID) and their relevant identifiers,
`minimal disclosure of only necessary
`identifying
`information is ensured. Any sustainable identity system
`should have this criterion. Accessing this identity through
`mobile phone provides the major advantage over the other
`available identity mechanisms. Mobile phone acts as a
`primary identifier to “My digital identity”. It is available 24
`h/7 days a week, as compared to about 4 h average usage of
`a PC. Thus, it provides the always online functionality with
`availability. As, SIM card may also provide need to know
`authentication, some services that require minimum security
`can be available to the users as soon as they enter the
`proposed identity repository by mobile phone. Deployment
`of have to know authentication mechanism in SIM (ESIM)
`not only enhances the security to access financial services
`but also increases the acceptability of this identity to users.
`Another very useful feature of such identity concept is
`portability of identifier from one device to another,
`especially to the devices that has no direct connectivity to
`“My digital identity”. Thus, this identity can be accessed
`from anywhere and service continuity is possible in
`heterogeneous wireless environment. In case of losing or
`theft of SIM, we can use our PC to access “My digital
`identity” which is an optional access possibility to “My
`digital
`identity”. It obviously requires some security
`modification or enhancement.
`The proposed identity mechanism will certainly create
`values for
`the users, network operators and service
`providers. User can use a unique identity mechanism that is
`simple, easy to use, digital in nature but available anywhere
`and portable to any device. It has the potential to replace all
`the physical identities in the real world. Network operators
`can also earn revenues by providing space for the repository
`and through the additional data transfer requirements. Users
`can access service readily. As there are trust relationships
`among the parties involved in transactions here, the
`possibilities for fake transactions will reduced significantly.
`Once “My digital identity” repositories are known to the
`service providers, new offers can even be posted directly to
`these repositories.
`Sxip 2.0 and Microsoft Cardspace are two identity
`solutions developed by Sxip
`identity and Microsoft
`Corporation [8], [9]. They provide the movement of identity
`data over the internet. In addition to effortless movement of
`identity over the internet, the proposed mechanism supports
`the portability of identity data among the devices. Gemalto,
`one of the leading digital security providers, is using high
`capacity SIM card for storing digital certificates or rights
`[10]. The identity repository can be used instead to store
`these rights that can be accessed through mobile phone.
`Thus, some overheads during data transfer can be avoided.
`The mechanism also ensures the portability of rights. There
`are many identities based on chips cards, like, memory cards
`and smart cards [11]. There are multiple chip cards,
`
`provided by multiple entities and single chip card, shared by
`few entities. If the proposed identity repository is available
`in the network which can be accessed anytime and from
`anywhere through an always online mobile phone, such
`various identity based chip cards might not be necessary at
`all. User needs only one card, a SIM card.
`
`
`IX. CONCLUSION
`The paper introduced a new concept of a role based
`identity repository, its security and service interaction
`architectures. Part of the identity is placed in mobile phone
`SIM card to meet the highest security requirements.
`Authentication to this identity and thereby service access
`through mobile phone is one of the main features of this
`concept. The paper also indicated various usefulness of such
`mechanism. The concept of a unique identity repository in
`the network will obviously enhance the user experience in
`seamless service interaction in heterogeneous wireless
`networks. In our future work, we will focus on establishing
`a use case on seamless user experience in heterogeneous
`wireless networks.
`
`
`ACKNOWLEDGMENT
`The contribution is a part of an ongoing research in WP2
`of SWACOM project, funded by The Research Council of
`Norway. The authors would like to acknowledge the
`contributions and supports provided by their colleagues
`from UniK, Kjeller and Telenor R&D, Fornebu, Norway.
`
`[4]
`
`[3]
`
`REFERENCES
`[1] Telecommunication Statistics, “OECD key ICT indicator”,
`http://www.oecd.org/
`[2] D. Hardt, “Identity 2.0”, OSCON 2005,
`http://www.identity20.com/media/OSCON2005/
`J. Noll, J.C. Lopez Calvet, K. Myksvoll, “Admittance services
`through mobile phone short messages”, Proceedings of the
`International Conference on Wireless and Mobile Communications
`ICWMC’06, July 29-31, 2006, Bucharest.
`J. Noll, “Services and applications in future wireless networks”, in the
`press, Telektronikk, Q4/2006.
`[5] RSA Security, http://www.rsasecurity.com/
`[6]
`J. Noll, U. Carlsen, G. Kalman, “License transfer mechanisms through
`seamless SIM authentication”, International Conference on Wireless
`Information Systems, Winsys 2006, 7.-10. August 2006, Setubal,
`Portugal.
`[7] K. Cameron, “The Laws of Identity”,
`http://www.identityblog.com/?page_id0354
`[8] The Simple eXtensible Identity Protocol, Sxip,
`http://sxip.net/downloads/sxip2-overview.pdf
`[9] Windows Cardspace,
`http://msdn.microsoft.com/winfx/reference/infocard/default.aspx
`[10] Gemalto, a leading digital security provider, http://www.gemalto.com/
`[11] Senthil Sengodan, “On secure mobile identity provisioning”, Wireless
`World Research Forum Meeting 15, 08-09 December 2005, Paris,
`France.
`
`
`
`
`
`
`
`
`
`
`
`
`CARDWARE EXHIBIT 2031, Page 4 of 5
`SAMSUNG V. CARDWARE PGR2023-00013
`
`

`

`
`
`5
`
`Mohammad M. R. Chowdhury is Ph. D. student at the University
`Graduate Center at Kjeller, Norway (UniK) in the area of User Mobility and
`Service Continuity. He received his M. Sc. from Helsinki University of
`Technology in Radio Communication.
` His current areas of interest are identity and identity based service
`interactions, seamless user experience in heterogeneous wireless networks
`and development of innovative service concepts for mobile operators.
`
`Josef Noll is Prof. stip. at the University Graduate Center at Kjeller,
`Norway (UniK) in the area of Mobile Systems. He is also Senior Advisor in
`Telenor R&D in the Product and Market groups, and Senior Advisor in
`Movation. He received his Ph. D. from University of Bochum (D), worked
`for European Space Agency at ESTEC from 1991-1997, and from 1997-
`2005 at Telenor R&D.
` His working areas of include mobile authentication, wireless broadband
`access, personalized services, mobile-fixed integration, and the evolution to
`4G system.
`
`
`
`CARDWARE EXHIBIT 2031, Page 5 of 5
`SAMSUNG V. CARDWARE PGR2023-00013
`
`