Corsello Research Foundation

User Identity
Establishment, management, maintenance and representation of identity in
software systems

michael.corsello

4/11/2009
Abstract

The representation of identity in computer systems is the based upon the need to reference items

stored within the computer by some form of handle. The essence of identity is provided a handle, it is

possible to identify and access the specific item that handle identifies. To do this unambiguously with

confidence is complex. This paper discusses the concepts of identity, where it is used in computer

systems, issues in identity and some application schemes for identity usage in computational systems.
Michael Corsello Design Paper CSci 283 Computer Security

Introduction

An identity is simply a representation of some entity. More specifically, an identity is a logical name,

moniker or handle that represents a physical entity such as a person, user or file. In computer

applications, all entities within the computer environment have identities that must be unique to ensure

proper access.

Identity

The identity of an entity (the subject) is the handle used to represent the entity when the entity itself is

not available. This is always the case prior to accessing the entity itself. If a client wants to access a

specific entity, and that entity is “held” by another entity (the server), the client will identify the specific

entity it wants by providing the identity of the entity it is requesting. In order to perform this simple

action, several things must hold true:

The requesting client must know the appropriate identity for the entity it is requesting

The responding server must know the entity that identity “maps” to

The correspondence between the identity and the entity must be unique

It is quite important to note at this time that an identity is itself an entity in the context of a computer

system. In general, the identity may be used as an entity (such as a user account is both an entity and

an identity) to provide a binding to other identities and entities.

Knowledge

The first aspect of identity is knowledge. A requestor of an entity must know the identity of that entity.

In basic human terms for a person to address another person, they must know that person’s name. The

name is the person’s identity in this case.

P age |1 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

A more subtle but important distinction in this scenario is that many people may share the same name,

but the requester simply knows the name of the person they want to speak with and do not know if or

who may also share that same name. This is the locality or localization of the identity space.

Universe of Discourse

When a client and server are communicating, they have an implied universe of discourse, or specific set

of information they can share. A server will “know”

the appropriate set of entities and their associated

identities for communicating with this specific client.

That set of entities does not have to be the entire

set of entities the server is aware of. This localized

set of entities forms the universe of discourse for

the conversation between the client and server and

forms the “scope” of the identity used in this

conversation.

Binding

The second aspect of identity is that of binding a physical entity to an identity. Each entity will have an

identity that is used as the handle for that entity. Additionally, there may be multiple identities used to

identify any specific entity. These identities may be specific to a client in that each client may have its

own identity for a given entity. This is one way to maintain anonymity or transparency of identity.

When an identity is bound to an entity, that binding is in some way shared to all clients that will use that

identity to reference the specific entity it is bound to.

Of great importance to security is the binding of multiple items to a single identity. One identity may be

associated with a collection of entities in many ways. First, a given identity can resolve to an entity

P age |2 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

which is itself an identity of another form, such as a user name serving as an identity for a user account

which is an entity also bound to a password identity. The pairing of both identity tokens of the

username and password can resolve to the specific user account which itself is an identity used

throughout a system.

Uniqueness

For a system to provide a reliable mechanism for resolving an identity to an entity, that identity must be

unique. The uniqueness of an identity is based upon a scope, and does not generally need to be

universally unique. For example, multiple people may share the same name but as long as everyone in

the room has a unique name all people can be referenced by their name unambiguously within the

scope of that room.

The concept of scope is based upon the universe of discourse discussed previously. Each scope has a set

of identities logically contained within it. Those identities logically bind to the physical entities desired.

An example of this is the URL concept on the internet. Each web site is universally unique (the

www.mydomain.com portion), which defines the scope of the identity contained within the remainder

of the url (the actual resource identifier after the “/”). So, for the url:

http://www.mydomain.com/work/dogs/buster.html

The scope of the identity is www.mydomain.com, and the unique identity is work/dogs/buster.html. It

is a requirement that the identity of work/dogs/buster.html cannot resolve to more than one entity

within this scope. However, another scope may also use this identical identity for a specific resource.

Entities
The entities that must be identified within a computer system are subjects and include everything that

may be referenced including users, files, folders, permissions, roles, devices, connections and so on. The

P age |3 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

concept of an entity in a computer system is naturally divided into scopes by the intent of the requestor.

It is natural in most areas of computer systems to “know” that a request for a file is distinct from a

request for a device. Therefore, the request itself (based upon the API serving the request) has a natural

scope. In this manner, the identity of each class of entity can be distinct based upon the API owning the

dictionary of bindings.

Identity Patterns
Each controlling server (or API) that deals with resolving identity may use its own identity pattern. For a

url, the pattern is a set of nested scopes separated by the “/” character overall represented as a textual

string. For the identity of a hardware device, it may be represented as a 32-bit unsigned integer for the

device appended to an 8-bit unsigned bus identifier. These patterns of identity are distinct based upon

the needs of the identity resolution process. In the case of the device identity within a system, there is

little need to authenticate or provide other security related identity protocols; the identity is purely a

handle for reference. In the case of user accounts, the identity of the account is merely a handle, but

the account as an entity must be secured by some secondary identity (such as a username/password)

that is bound to the account itself. This secondary identity is used for the authentication process to

provide a verification of the identity.

Law of Identity
Logically speaking, the law of identity is defined by or that the identity A is identical to itself. This

is known as a tautology in discrete mathematics in that the identity is always true. This forms the basis

of the authentication process in which an identity A is compared to an identity claim A’. The identity

claim is compared to the identity, if the claim matches the identity, then the law of identity holds that

the claim is equivalent to the identity and the claimant therefore possesses the identity.

P age |4 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

Unfortunately, this does not equate to the meaning of the identity in that the claimant only knows and

can reproduce the identity, and may or may not actual be the entity the identity represents. When the

identity is that of a user (say an username and password), the identity credential will authenticate that

the claimant produced an identity token that matches a known identity token thereby authenticating

the claimant only as having the knowledge of the token. This means that is Eve knows Bob’s identity

credential token (username and password), and then Eve can act as though she is Bob. The identity of

Eve will therefore be Bob and therefore Eve has stolen Bob’s identity (identity theft).

Identification and Privacy

There is a fundamental difference between identity and identification in a computer system and the

concept of identification in the real world. In terms of what a person thinks of as identification for a

human being, that would usually be a personal profile in a computer system. The personal aspects of a

human being including items such as a name, addresses, phone numbers, education, race, credit card

accounts, etc. are not part of a computer identity or identification. It is important that these concepts

be separated and instead this form of information be treated directly as a data entity isolated from, but

related to an identity entity treated as an independent entity. In this manner, the identification of a

person is restricted to the portion of information required to authenticate a user. All the additional data

points are represented as data entities that are then affiliated back to that user. Each of the attributes

of this personally identifiable information (PII) can then be separately maintained and secured as data

unidentifiable to the actual person they pertain to. This is the basic premise of anonymity and privacy.

Many of the emerging identity implementations are geared at the basic user identity level and are

attempting to address the issues of privacy and anonymity while allowing the binding of identities to PII.

P age |5 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

Identity Management
The overall process and practice of generating identities and maintaining the associations of identities to

entities while maintaining the proper scope relations is collectively known as identity management.

Within a computer system, the identity management process may be quite simple. If the computer is

self-contained (not networked) then all identity information is local to that machine and is managed by

the OS and related software installed on that machine. Once networking is enabled and used for

identity distribution, the identity management process becomes much more complex.

Basic Identity Entities

There are some basic entities, which are treated as subjects of identity that all users will interact with

within a computer system. These include files and folders, users, groups or roles, permissions and

computers. When networking, all of these items may be managed by a central identity repository such

as an X.500 or lightweight directory access protocol (LDAP) server. In an LDAP system, each type of

entity has an identity type, which has predefined identity attributes contained within the LDAP schema.

The primary set of identity types are maintained by the Internet Corporation for Assigned Names and

Numbers (ICANN). For each entity, regardless of type, a universally unique identifier is attached as an

attribute to uniquely identify that identity record and type. In this manner, the identity itself is an entity

in the LDAP directory.

By distributing different portions of this identity repository to multiple servers a distributed identity

system is created. This distribution raises several issues that are currently hot topics in computer

security and identity research.

Permission entities are often fixed, predefined entities that exist solely as identifiers. The permission

itself is the identifier and is applied to other entities such as users, files and roles. The comparison of

the permission on a file to the permission on the user or role is the authorization process.

P age |6 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

Roles are the next entity type of note. A role is represented as an identity, generally a name and the

role entity itself is generally a collection of permissions and users that are mapped onto that role.

The files and directories that represent the data storage units within a computer have identities that are

scoped based upon their location in the “directory tree” for a given mounted volume (disk or drive).

Each file unit has an identity that is the name of the file itself. In many systems, logical identities (such

as a symbolic link) can provide an identity handle to a file that transcends the scope in which the file is

“located”. With a link identity, the link provides additional handles to the file entity from other scopes.

A user identity is the user entity itself and has secondary identity attributes that constitute an identity

credential that references the user identity. The user entity has one or more user identity identities

(credential sets) that resolve to the physical user entity. The physical user entity is the identity handle

that items such as roles use to associate with permissions and access control mechanisms.

Identity Resolution
The act of retrieving the entity that an identity represents is identity resolution. The resolution of an

identity is composed of resolving the scope of the identity and “looking up” the matching entity. There

are multiple outcome states in the resolution process that can be defined:

No scope, the requestor has not been placed into a known scope within which resolution can

occur (the server has no resolution context, such as request for a file without specifying the

drive)

No known entity, the requestor provided an identity that does not match any identity in the

current scope

Resolved, an entity is returned with a matching identity

o Correct, the entity is the expected entity based upon the identity

 Example, my user account is returned based upon my credential

P age |7 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

o Incorrect, the entity is not the expected entity based upon the identity

 Example, someone else’s user account is returned based upon my credential

 This may be due to a mis-matched scope, such as a user successfully logs in to

an application they do not use. They have been provided access under another

users’ account

Proper resolution of identity is both a security and availability issue as improper resolution may provide

illegal capabilities to unauthorized users or resources and may result in corruption of information. The

identity itself has some responsibility in the resolution process for this very reason. The identity

attributes collectively comprise the identity handle. If the identity handle is of too small variability, then

not all entities can uniquely resolve from an identity. For example, if the identity is simply an 8-bit value

there is a total keyspace of 256 distinct identities possible. If there are more than 256 unique entities,

then it is impossible to uniquely identify them given the identity scheme. Further, from a security

perspective, if the total keyspace is close to the total number of used identities, then random identity

creation will tend to resolve to legitimate entities. This makes attacks successful by virtue of statistics,

fewer tries are required to get an answer. This form of guessing game includes brute-force identity

attacks and dictionary attacks.

Conclusions

Computer identity is a fundamental area of operation and security within computers. The use of

references as memory addresses, file names, user credentials or general pointers are all forms of

identification and provide different levels of capability and security. In moving to more network based

forms of computation such as cloud computing and peer to peer the nature of identity and the models

used will need to accommodate broader scopes of use while maintaining security and resistance to ever

evolving attacks.

P age |8 User Identities

Michael Corsello Design Paper CSci 283 Computer Security

References

Bishop, M. (2003). Computer Security. Boston: Addison Wesley.

Boyd, D. (2002). Faceted Id/entity: Managing representation in a digital world. Cambridge:

Massachusetts Institute of Technology.

Wikipedia contributors. (2009, March 10). Digital identity. Retrieved April 11, 2009, from Wikipedia, The
Free Encyclopedia: http://en.wikipedia.org/w/index.php?title=Digital_identity&oldid=276262510

Wikipedia contributors. (2009, March 31). Federated identity. Retrieved April 11, 2009, from Wikipedia,
The Free Encyclopedia:
http://en.wikipedia.org/w/index.php?title=Federated_identity&oldid=280955404

Wikipedia contributors. (2009, March 7). Identity (object-oriented programming). Retrieved April 11,
2009, from Wikipedia, The Free Encyclopedia:
http://en.wikipedia.org/w/index.php?title=Identity_(object-oriented_programming)&oldid=275670888

Wikipedia contributors. (2009, April 9). Identity management. Retrieved April 11, 2009, from Wikipedia,
The Free Encyclopedia:
http://en.wikipedia.org/w/index.php?title=Identity_management&oldid=282714701

Wikipedia contributors. (2009, March 11). Law of identity. Retrieved May 11, 2009, from Wikipedia, The
Free Encyclopedia: http://en.wikipedia.org/w/index.php?title=Law_of_identity&oldid=279120024

P age |9 User Identities