Privacy and Security
Privacy concerns develop when user data is spread across many locations. Personal Identifiable Information (PII), such as street addresses, IP addresses, first and last names, and login credentials, can be traced back to an individual or a small group of individuals. Privacy regulations often dictate the amount of PII data that can be exchanged.
At the same time, users need to be properly authenticated when they are trying to access another network, and users often want to share their location to get location-based services.
Law enforcement requires the ability to track crime suspects and monitor their transactions and conversations. For that purpose, operators need to be able to redirect and monitor traffic of particular users without their knowledge. These Lawful Intercept (LI) requirements complicate roaming agreements, traffic offload, and other route optimization functions, because the easiest way to comply with these requirements is to direct all traffic through a central location, where it can be monitored.
A useful concept in federated access is that of a "pseudonym," an identity that is unique for a specific user and often for a specific access network but that can only be linked to an individual user by the home network operator. The extent to which pseudonymity can be used varies from one access technology to another and from implementation to implementation.
From a security point of view, a benefit of the federated model is the fact that the sensitive user data is not distributed over many systems, but concentrated in the IdP.
Another benefit of having a centralized authentication server is that it is possible to introduce stronger authentication means (like smartcards) without the need to change all applications to support this type of authentication.
Apart from authentication and authorization data, the user traffic and the control traffic between the various elements in the network often need to be protected against eavesdropping and tampering. For this purpose, a wide variety of cryptographic means are used.
Privacy and Security in LTE
In LTE (unlike UMTS), a great deal of effort has gone into making sure that compromising the security of one network element will not imply compromising the security of the system as a whole. As an example of that, a complex system for the generation of cryptographic keys has been developed that is being used for securing the communication between the various other network elements. In particular, all keys inside a visited network are derived from a "master" key, which is specific for that serving network. This means that if the security in the serving network is breached, this will not have any implications for the home network and the integrity of the user credentials.
Traffic between the serving network and the home network is protected using IPsec.
In the initial AKA authentication, the IMSI is sent to the serving network, but after that, a temporary identifier is used. This means that the serving network is still capable of observing the IMSI, but at least the casual eavesdropper is unable to monitor the point of attachment of that particular IMSI.
Privacy and Security in Wi-Fi Networks
For captive portals, it is by the nature of that technology very difficult to provide location privacy and credential protection, the users submit their credentials after all at that specific location and to the captive portal that is used by the hotspot operator. These problematic security properties are worsened by the fact that users are in a way "trained" to submit their username and password or other authentication credential to every web page that remotely looks like a plausible hotspot page, instead of sharing their credentials only with their home network operator. Furthermore, unlike with 802.1X, typically all users get IP access to the local LAN that the hotspot is connected to, even before authentication. So, it is relatively easy to eavesdrop on the wireless traffic.
Using 802.1X in combination with EAP in contrast, it is possible to use pseudonymous identifiers for the users (identifiers such as anonymous@homeprovider or pseudonym12345@homeprovider), and in addition to that, 802.1X sets up a secure association between mobile equipment and access point, thereby protecting the user traffic against eavesdroppers on the wireless network.
Privacy and Security in SAML
SAML-based identity federations have been designed with user privacy and confidentiality in mind. Users are redirected to their own IdP to perform authentication so that the user credentials don't have to be shared with the RP. Instead of using the actual user identity for interacting with the RP, it is possible to use a pseudonymous identifier that is unique for the user and on a per-RP basis (a so-called targeted identity).
From a privacy aspect, there is one concern that has to do with the nature of SAML-based federations. The SAML model is geared toward an enterprise-centric model. That is to say, the IdP is always a party in a transaction, and therefore the IdP has a good insight in all the transactions that a user performs. In answer to this concern, there has been a lot of interest in what is called user-centric identity. In this model, the user uses an IdP for initial identity proofing and goes on wielding that proof of identity without having to involve the IdP in every transaction. So the Identity Provider does not need to know what services the user accesses. Examples of user-centric identity approaches are OpenID, OAuth, and Infocard.