Scroll Top

IDENTITY MANAGEMENT

IdM in the Future Internet

Identity management is an almost indispensable component of today’s organizations and companies, as it plays a key role in authentication and access control. However, it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, together with the promise of flexible, cheap and efficient provision of services, has provided the opportunity to externalize such a common process, shaping what has been called Identity Management as a Service (IDaaS). Nevertheless, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. One of our research lines tackles this problem by using cryptographic means instead of just relying in access control policies and models. In [1], we apply proxy re-encryption techniques for creating a special OpenID provider that is not capable of reading the user’s information but still provides an identity service. This research has been further refined in [2]. In this work, we propose a general model for privacy-preserving Identity Management as a Service, and describe a particular instantiation of this model using SAML 2.0.

Identity management does not only involve users in the system. Within the PASSIVE project, we have worked towards an authentication and authorization scheme for applications, users and resources that is suitable for its use in large and highly dynamic deployments such as the Cloud [3]. Other work in this area identifies the challenges that arise in the intersection of interconnected clouds and identity management [4].

Another relevant scenario of the Future Internet is the Internet of Things, where heterogeneous wireless devices interact in the common context. Wireless devices can also serve a supporting technology for continuous authentication or even as a complete alternative to biometrics when accessing proximity-based services. In [5] we present the implementation of a secure, non-invasive continuous authentication scheme supported by the use of Wearable Wireless Devices (WWD), which allow users to gain access to proximity-based services while preserving their privacy.

Privacy and Anonymity

In its third Recommendation, the RISEPTIS TECHNICAL report proposes the development of an identity and authentication framework in the EU. It is recognized that there will not be a unique and unified eID format, and there must coexist multiple national and regional as well as commercial schemes. There is also a broad consensus on the need for flexible identity systems where users can get service on demand (as part of the user-centric identity management) with respect to their preferences:
– The ability to decide the security level of data transmitted (sent or received),
– The ability to decide the level of anonymity of such data,
– The ability to choose between various types of connections, according to the desired level of anonymity. In each of these levels, only part of the identity of that connection in particular should be disclosed.

One of the Identity aspects in which NICS is currently working is the implementation of a solution for Anonymous Age Verification using the national electronic identity document (DNIe). We must distinguish (as does the report’s recommendation RISEPTIS) between the authentication needs when interacting with public authorities or our financial institutions (eg DNIe) and those that arise from everyday needs on the network (eg the purchase of an article in which the buyer data that are not strictly necessary for the operation must remain undisclosed.) For this last stage, and combining two types of identity (verified and pseudonymous) between the different technologies available, we have chosen the Information Cards to develop an anonymous age verification application that allows a user to demonstrate his age without providing additional data [6]. In the process of generating the i-card (Information Card), the DNIe is used. Thus, for example, the immediate application for users appears in purchasing products online, which can prove they were old enough to perform the operation without providing additional data strictly necessary to the service provider. In this process, the user must use the DNIe only once (for regisration) from his computer.

However, at present, one of the major problems of the DNIe use in Spain is the lack of applications that make use of it in innovative ways. Therefore we propose to use mobile devices or smartphones as well as devices that interact with DNIe readers to allow citizens to manage and securely authenticate regardless of their location, as an intermediary between users and the PC so that, when digitally signing documents, the user must not explicitly trust the PC, but his mobile device in order to check the integrity of the document to be signed just before proceeding. The main objective is to avoid potential damage from malware installed on the PC that could endanger the digital signature. Currently some NICS’ members are part of the National DNIe Working Group  which works on pushing forward new applications for the DNIe.

Privilege Management Infraestructures

Privilege management infraestructures (PMI) arise as an evolution of PKI where not only identity is considered but the privileges or access rights asociates to the diferent roles or individuals in the organizations. This reserach topics is one of the oldest within NICS and was consolidated in the project PRIVILEGE. In this project we worked mainly with X.509 Attribute Certificates. We developed a practical implementation of a Privilege Management Infrastructure (PMI) and a mechanism to perform controlled delegation, making use of the extension fields of the attribute certificates [7] [8]. Our proposal is based on graphs, including in each certificate a real number ( in the interval [0,1]) that measures the level of confidence of the issuer on the issued certificate. This enables us to compute trust on the granted privileges over the delegation graph.

In [9] we proposed a solution to enhance the X.509 attribute certificate in such a way that it becomes a conditionally anonymous attribute certificate. After that, we designed a protocol to obtain such certificates in a way that respects users’ anonymity by using a fair blind signature scheme. We also show how to use such certificates and describe a few cases where problems could arise, identifying some open problems.

Another relevant are within PMI is supporting dynamic access control policies based on context information [10] and include in the decision making process not only roles and identities but also user attributes [11].

PMI can also be used for identity verification. Within the OSAMI project we have implemented solution for the distribution of secure code using OpenID and signatures with public key certificates of short duration (created from the OpenID information) [12]. In this way, developers can distribute signed code without the need for a long term digital certificate. This solution can be applied to those scenarios in which there is a dynamism in the programming team of these components such as in the open source community.

References

  1. David Nuñez and Isaac Agudo and Javier Lopez (2012): Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services. In: IEEE CloudCom 2012, pp. 241 – 248, IEEE Computer Society IEEE Computer Society, Taipei, Taiwan, 2012, ISSN: 978-1-4673-4509-5.
  2. David Nuñez and Isaac Agudo (2014): BlindIdM: A Privacy-Preserving Approach for Identity Management as a Service. In: International Journal of Information Security, vol. 13, pp. 199-215, 2014, ISSN: 1615-5262.
  3. Neumann Libor and Tomas Halman and Rotek Pavel and Alexander Boettcher and Julian Stecklina and Michal Sojka and David Nuñez and Isaac Agudo (2012): Strong Authentication of Humans and Machines in Policy Controlled Cloud Computing Environment Using Automatic Cyber Identity. In: Pohlmann, Norbert; Reimer, Helmut; Schneider, Wolfgang (Ed.): Information Security Solutions Europe 2012, pp. 195-206, Springer Vieweg Springer Vieweg, Brussels, Belgium, 2012, ISBN: 978-3-658-00332-6.
  4. David Nuñez and Isaac Agudo and Prokopios Drogkaris and Stefanos Gritzalis (2011): Identity Management Challenges for Intercloud Applications. In: 1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011), pp. 198-204, Crete (Greece), 2011.
  5. Isaac Agudo and Ruben Rios and Javier Lopez (2013): A Privacy-Aware Continuous Authentication Scheme for Proximity-Based Access Control. In: Computers & Security, vol. 39 (B), pp. 117-126, 2013, ISSN: 0167-4048.
  6. Jose A. Onieva and Isaac Agudo and Javier Lopez and Gerard Draper-Gil and M. Francisca Hinarejos (2012): Como proteger la privacidad de los usuarios en Internet. Verificación anónima de la mayoría de edad. In: XII Reunión Española sobre Criptología y Seguridad de la Información – RECSI 2012, pp. 297-302, Mondragon Mondragon, San Sebastian (Spain), 2012, ISBN: 978-84-615-9933-2.
  7. Isaac Agudo and Javier Lopez and Jose A. Montenegro (2005): A Representation Model of Trust Relationships with Delegation Extensions. In: 3th International Conference on Trust Management (iTRUST’05), pp. 9-22, Springer Springer, Versailles, France, 2005, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  8. Isaac Agudo and Javier Lopez and Jose A. Montenegro (2005): A Graphical Delegation Solution for X.509 Attribute Certificates. In: ERCIM News, no. 63, pp. 33-34, 2005, ISSN: 0926-4981.
  9. Vicente Benjumea and Javier Lopez and Jose A. Montenegro and Jose M. Troya (2004): A First Approach to Provide Anonymity in Attribute Certificates. In: 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC’04), pp. 402-415, Springer Springer, 2004.
  10. Isaac Agudo and Javier Lopez and Jose A. Montenegro (2006): Attributes Delegation Based on Ontologies and Context Information. In: 10th IFIP TC-6 TC-11 International Conference on Communications and Multimedia on Security (CMS’06), pp. 54-66, Springer Springer, Heraklion, Crete, 2006, ISSN: 0302-9743 (Print) 1611-3349 (Online).
  11. Isaac Agudo and Javier Lopez and Jose A. Montenegro (2007): Attribute delegation in ubiquitous environments. In: 3rd international conference on Mobile multimedia communications (MobiMedia ’07), pp. 43:1–43:6, ICST ICST, Nafpaktos, Greece, 2007, ISBN: 978-963-06-2670-5.
  12. Isaac Agudo and Jose A. Onieva and Daniel Merida (2010): Distribución segura de componentes software basada en OpenID. In: XI Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2010), Tarragona, Spain, 2010, ISBN: 978-84-693-3304-4.