skip to main content
10.1145/1102486.1102489acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Establishing and protecting digital identity in federation systems

Published:11 November 2005Publication History

ABSTRACT

We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. We first propose a flexible approach to establish a single sign-on (SSO) ID in the federation. Then we show how a user can leverage this SSO ID to establish certified and un-certified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and privacy preserving. Our major contribution in this paper is a novel solution for protection against identity theft of these identity attributes. We provide protocols based on cryptographic techniques, namely zero knowledge proofs and distributed hash tables. We show how we can preserve privacy of the user identity without jeopardizing security. We formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in case semi-trusted "honest-yet curious" service providers thus preventing against insider threat. In our analysis we give the desired properties of the cryptographic tools used and identify open problems. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.

References

  1. M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng., 22(1):6--15, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. H. Abelson and L. Lessig. Digital identity in cyberspace. In White Paper Submitted for 6.805/Law of Cyberspace: Social Protocols, 1998.Google ScholarGoogle Scholar
  3. AES. http://csrc.nist.gov/cryptotoolkit/aes/.Google ScholarGoogle Scholar
  4. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACMConference on Computer and Communications Security, pages 62--73, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. E. Bertino, E. Ferrari, and A. C. Squicciarini. Trust-χ: A Peer-to-Peer Framework for Trust Establishment. In IEEE Transactions on Knowledge and Data Engineering, pages 827-- 842. IEEE, July 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. X. Chen, F. Zhang, and K. Kim. A new id-based group signature scheme from bilinear pairings. In Cryptology ePrint Archive, Report, 2003.Google ScholarGoogle Scholar
  7. W. Duserick and F. Investments. Whitepaper on liberty protocol and identity theft. In Liberty Alliance Project, 2004.Google ScholarGoogle Scholar
  8. U. Fiege, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In STOC '87: Proceedings of the 19th annual ACM conference on Theory of computing, pages 210--217, New York, NY, USA, 1987. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. http://shibboleth.internet2.edu. Shibboleth, internet2.Google ScholarGoogle Scholar
  10. http://www.identitytheftmanagement.com/. Identity theft management.Google ScholarGoogle Scholar
  11. http://www.projectliberty.org. Liberty alliance project.Google ScholarGoogle Scholar
  12. http://www.rsasecurity.com/rsalabs. Rsa laboratories' nightingale.Google ScholarGoogle Scholar
  13. K. Klingestein. Emergence of identity service providers. In EDUCAUSE Center for Applied Research, Research Bulletin, number 5, 2002.Google ScholarGoogle Scholar
  14. G. S. Manku. Balanced binary trees for id management and load balance in distributed hash tables. In PODC '04: Proceedings of the twenty-third annual ACM symposium on Principles of distributed computing, pages 197--205, New York, NY, USA, 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. G. S. Manku. Dipsea: a modular distributed hash table. PhD thesis, Stanford University, 2004. Adviser-Rajeev Motwani. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. E. Norlin and A. Durand. Whitepaper on towards federated identity management. In Ping Identity Corporation, 2002.Google ScholarGoogle Scholar
  18. N. R. C. of the National~Academies. Who Goes There? Authentication Through the Lens of Privacy. The National Academies Press, Washington, D.C., 2003.Google ScholarGoogle Scholar
  19. A. Pashalidis and C. Mitchell. A taxonomy of single sign-on systems. Information Security and Privacy, 8th Australasian Conference, ACISP 2003, Wollongong, Australia, July 9-11, 2003, Proceedings, volume 2727 of Lecture Notes in Computer Science, pages 249--264. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. C. P. Schnorr. Efficient identification and signatures for smart cards. In CRYPTO '89: Proceedings on Advances in cryptology, pages 239--252, New York, NY, USA, 1989. Springer-Verlag New York, Inc. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. A. B. Spantzel, A. C. Squicciarini, and E. Bertino. Integrating federated digital identity management and trust negotiation. In review IEEE Security and Privacy Magazine, 2005.Google ScholarGoogle Scholar
  22. A. Whitten and J. D. Tygar. Why Johnny can't encrypt: Ausability evaluation of PGP5.0. In 8th USENIX Security Symposium, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. D. Woodruff and J. Staddon. Private inference control. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 188--197, New York, NY, USA, 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Establishing and protecting digital identity in federation systems

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          DIM '05: Proceedings of the 2005 workshop on Digital identity management
          November 2005
          120 pages
          ISBN:1595932321
          DOI:10.1145/1102486

          Copyright © 2005 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 11 November 2005

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Acceptance Rates

          Overall Acceptance Rate16of34submissions,47%

          Upcoming Conference

          CCS '24
          ACM SIGSAC Conference on Computer and Communications Security
          October 14 - 18, 2024
          Salt Lake City , UT , USA

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader