ABSTRACT
We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. We first propose a flexible approach to establish a single sign-on (SSO) ID in the federation. Then we show how a user can leverage this SSO ID to establish certified and un-certified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and privacy preserving. Our major contribution in this paper is a novel solution for protection against identity theft of these identity attributes. We provide protocols based on cryptographic techniques, namely zero knowledge proofs and distributed hash tables. We show how we can preserve privacy of the user identity without jeopardizing security. We formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in case semi-trusted "honest-yet curious" service providers thus preventing against insider threat. In our analysis we give the desired properties of the cryptographic tools used and identify open problems. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.
- M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng., 22(1):6--15, 1996. Google ScholarDigital Library
- H. Abelson and L. Lessig. Digital identity in cyberspace. In White Paper Submitted for 6.805/Law of Cyberspace: Social Protocols, 1998.Google Scholar
- AES. http://csrc.nist.gov/cryptotoolkit/aes/.Google Scholar
- M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACMConference on Computer and Communications Security, pages 62--73, 1993. Google ScholarDigital Library
- E. Bertino, E. Ferrari, and A. C. Squicciarini. Trust-χ: A Peer-to-Peer Framework for Trust Establishment. In IEEE Transactions on Knowledge and Data Engineering, pages 827-- 842. IEEE, July 2004. Google ScholarDigital Library
- X. Chen, F. Zhang, and K. Kim. A new id-based group signature scheme from bilinear pairings. In Cryptology ePrint Archive, Report, 2003.Google Scholar
- W. Duserick and F. Investments. Whitepaper on liberty protocol and identity theft. In Liberty Alliance Project, 2004.Google Scholar
- U. Fiege, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In STOC '87: Proceedings of the 19th annual ACM conference on Theory of computing, pages 210--217, New York, NY, USA, 1987. ACM Press. Google ScholarDigital Library
- http://shibboleth.internet2.edu. Shibboleth, internet2.Google Scholar
- http://www.identitytheftmanagement.com/. Identity theft management.Google Scholar
- http://www.projectliberty.org. Liberty alliance project.Google Scholar
- http://www.rsasecurity.com/rsalabs. Rsa laboratories' nightingale.Google Scholar
- K. Klingestein. Emergence of identity service providers. In EDUCAUSE Center for Applied Research, Research Bulletin, number 5, 2002.Google Scholar
- G. S. Manku. Balanced binary trees for id management and load balance in distributed hash tables. In PODC '04: Proceedings of the twenty-third annual ACM symposium on Principles of distributed computing, pages 197--205, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- G. S. Manku. Dipsea: a modular distributed hash table. PhD thesis, Stanford University, 2004. Adviser-Rajeev Motwani. Google ScholarDigital Library
- A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography, 2001. Google ScholarDigital Library
- E. Norlin and A. Durand. Whitepaper on towards federated identity management. In Ping Identity Corporation, 2002.Google Scholar
- N. R. C. of the National~Academies. Who Goes There? Authentication Through the Lens of Privacy. The National Academies Press, Washington, D.C., 2003.Google Scholar
- A. Pashalidis and C. Mitchell. A taxonomy of single sign-on systems. Information Security and Privacy, 8th Australasian Conference, ACISP 2003, Wollongong, Australia, July 9-11, 2003, Proceedings, volume 2727 of Lecture Notes in Computer Science, pages 249--264. Springer-Verlag. Google ScholarDigital Library
- C. P. Schnorr. Efficient identification and signatures for smart cards. In CRYPTO '89: Proceedings on Advances in cryptology, pages 239--252, New York, NY, USA, 1989. Springer-Verlag New York, Inc. Google ScholarDigital Library
- A. B. Spantzel, A. C. Squicciarini, and E. Bertino. Integrating federated digital identity management and trust negotiation. In review IEEE Security and Privacy Magazine, 2005.Google Scholar
- A. Whitten and J. D. Tygar. Why Johnny can't encrypt: Ausability evaluation of PGP5.0. In 8th USENIX Security Symposium, 1999. Google ScholarDigital Library
- D. Woodruff and J. Staddon. Private inference control. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 188--197, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
Index Terms
Establishing and protecting digital identity in federation systems
Recommendations
Federated identity management for protecting users from ID theft
DIM '05: Proceedings of the 2005 workshop on Digital identity managementFederated identity management is sometimes criticized as exacerbating the problem of online identity theft, based as it is on the idea of connecting together previously separate islands of identity information. This paper explores this conjecture, and ...
Establishing and protecting digital identity in federation systems
The First ACM Workshop on Digital Identity Management -- DIM 2005We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information ...
Identity Management
The Identity Solutions Symposium held in Jonesboro, Arkansas, 21 to 22 February, 2007 brought together academic, industry, and government experts working on radio frequency identification (RFID), biometrics, sensors, animal identification, identity ...
Comments