Audun Jøsang       

Research Interests

Audun Jøsang         Back to Homepage.

Identity Management

Identity concepts    

An identity corresponds to and represents an entity which e.g. can be a system, a person or an organisation. An identity concists of attributes which represents characteristics of the entity within a domain. One of the attributes is normally a name used to recognise and identify the entity uniquely within a domain.

Identity management consists of technologies, policies and practices for recognising and autenticating entities in online environmnets. All parties that engage in online activities have identities that need to be management. In particular, not only user identities, but also server and service provider identities must be managed.

Identity management must cover both user and service provider identities. In addition there are always two parties involved (the relying party and the target) in IdM processes. It is therefore necessary that identity management have process components both on the user side as well as on the service provider side. This leads to four processes classes for identity management, as illustrated in the diagram.

Only management of user identities and credentials traditionally been considered as identity management, where systems based on the the silo model are the most widely used on the Web. While management of service provider identities is hardly ever discussed, there are serious issues with it, as e.g. shown by the relatively high success rate of phishing attacks. The industry's attempt to solve this problem is to compile blacklists of "bad" server names that can be used for triggering warnings in browsers, which in fact represents a form of trust management, not identity management. Because server names are often meaningless to users, server authentication based on server certificates and SSL also becomes meaningless. It would be simpler, cheaper and equally secure to use SSL encryption with Diffie-Hellmann key exchange instead of server certificates. Only when server certificates issued under DNSSEC are combined with petnames can server names and server certificates become secure and meaningful.


Trust Management

Online trust and reputation systems are emerging as important decision support tools for selecting online services and for assessing the risk of accessing them. A general characteristic of reputation systems is that they provide global reputation scores, meaning that all the members in a community will see the same reputation score for a particular agent. On the other hand, trust systems can in general be used to derive local and subjective measures of trust, meaning that different agents can derive different trust in the same entity. Another characteristic of trust systems is that they can analyse multiple hops of trust transitivity Reputation systems on the other hand normally compute scores based on direct input from members in the community which is not based on transitivity. Still there are systems that have characteristics of being both a reputation system and a trust system. The matrix below shows examples of the possible combinations of local and global scores, and trust transitivity or not.

Subjective logic and Bayesian reputation systems are compatible methods for analysing trust networks and for deriving reputation scores, meaning that trust and reputation can be measured and expressed using the same metric.

Hierarchical Reputation Model


Network Security

Online Banking   

The importance of network security can not be underestimated since most aspects of modern society are networked. Traditionally network security is defined in terms of communication security (e.g. IPSec and TLS) and perimeter security (e.g. firewalls and Intrusion Detection Systems). Rapid innovation brings a steady stream of new standards and technologies for network security that target various levels of the network protocol stacks. However it is necessary to also consider semantics/trust-level and end-user levels of the stack. Models for including semantic and user leves can be defined in terms of ceremomy where the human context is integrated into network security models.

Online banking is constantly under attack by criminals backed by substantial resources. Security technologies for online banking must therefore be highly robust. SMS-based authenticaiton supports both user authentication and message/transaction authentication. The current Norwegian online banking security solution based on BankID does not provide message/transaction authentication, it only provides user authentication. SMS-based authentication is simple and well tested by banks around the world. When Norwegian banks choose not to use this method which would effectively stop man-in-the-browser attacks, then they are not practicing due care, and must thereby be considered legally liable for all losses suffered by users caused by man-in-the-browser attacks.

  • Se presentation of man-in-the-browser attacks, and SMS-based authenticaiton.


Security Usability

The importance of security usability was pointed out as early as 1883 by the Belgian cryptographer and linguist Auguste Kerckhoffs in two articles on cryptography. Kerckhoffs is most famous for establishing the principle that security should not be based on obscurity, or in his own words that "the system must not require secrecy and can be stolen by the enemy without causing trouble". One of the other security principles that Kerckhoffs established specifically relates to usability: "The system must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules". Kerckhoffs' articles can be accessed at Fabien Petitcolas' website.

The characteristics of security usability are quite different from those of traditional usability. For example, if a computer has poor usability, then people will have trouble getting any useful function out of it. On the other hand, if security protection of the computer has poor usability, then it doesn't necessarily stop people from using and from getting useful functions out of it. Another interesting difference is in the reactions people can be met with. At worst, people with trouble using a computer could be ridiculed, whereas people with trouble protecting their computer could be swindled.
Auguste Kerckhoffs
Jøsang's security usability principles below can be used to test the usability of security systems. Principles A3 and C3 are directly derived from Kerckhoffs' principle.
  • Security Action Usability Principles:
    • A1. Users must understand which security actions are required of them.
    • A2. Users must have sufficient knowledge and the ability to take the correct security action.
    • A3. The mental and physical load of a security action must be tolerable.
    • A4. The mental and physical load of making repeated security actions for any practical number of instances must be tolerable.
  • Security Conclusion Usability Principles:
    • C1. Users must understand the security conclusion that is required for making an informed decision.
    • C2. The system must provide the user with sufficient information for deriving the security conclusion.
    • C3. The mental load of deriving the security conclusion must be tolerable.
    • C4. The mental load of deriving security conclusions for any practical number of instances must be tolerable.
Poor usability of security directly leads to security vulnerabilities that can be exploited by hackers and criminals. People are often the weakest link in the security chain of systems and applications. This serious problem is amplified by poor security usability. Although the problem of poor security usability was already pointed out by Kerckhoffs, it currently receives very little attention by researchers and developers.


Back to Homepage.

Last Updated 1 November 2013.