Establishing and protecting digital identity in federation systems

Abhilasha Bhargav-Spantzel, Anna C. Squicciarini, Elisa Bertino

Research output: Contribution to journalArticle

31 Citations (Scopus)

Abstract

We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. Our solution supports a step by step approach according to which an individual can first establish a digital identity followed by a secure and protected use of such identity. We first introduce a flexible approach to establish a single sign-on (SSO) ID in a federation. Then we show how a user can leverage this SSO ID to establish certified and uncertified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and enhances privacy. The major contribution of this paper is a novel solution for protection against identity theft of these identity attributes. Our approach is based on the use of zero-knowledge proof protocols and distributed hash tables. Revocation mechanisms of the identity attributes are also developed. We illustrate how current revocation techniques can benefit from the underlying federation framework and the use of distributed hash tables. Finally, we formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in the case of semi-trusted "honest-yet curious" service providers, thus preventing against insider threat. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.

Original languageEnglish (US)
Pages (from-to)269-300
Number of pages32
JournalJournal of Computer Security
Volume14
Issue number3
DOIs
StatePublished - Jan 1 2006

Fingerprint

Authentication

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Bhargav-Spantzel, Abhilasha ; Squicciarini, Anna C. ; Bertino, Elisa. / Establishing and protecting digital identity in federation systems. In: Journal of Computer Security. 2006 ; Vol. 14, No. 3. pp. 269-300.
@article{1678134684a042568ca86fd01dd1e831,
title = "Establishing and protecting digital identity in federation systems",
abstract = "We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. Our solution supports a step by step approach according to which an individual can first establish a digital identity followed by a secure and protected use of such identity. We first introduce a flexible approach to establish a single sign-on (SSO) ID in a federation. Then we show how a user can leverage this SSO ID to establish certified and uncertified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and enhances privacy. The major contribution of this paper is a novel solution for protection against identity theft of these identity attributes. Our approach is based on the use of zero-knowledge proof protocols and distributed hash tables. Revocation mechanisms of the identity attributes are also developed. We illustrate how current revocation techniques can benefit from the underlying federation framework and the use of distributed hash tables. Finally, we formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in the case of semi-trusted {"}honest-yet curious{"} service providers, thus preventing against insider threat. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.",
author = "Abhilasha Bhargav-Spantzel and Squicciarini, {Anna C.} and Elisa Bertino",
year = "2006",
month = "1",
day = "1",
doi = "10.3233/JCS-2006-14303",
language = "English (US)",
volume = "14",
pages = "269--300",
journal = "Journal of Computer Security",
issn = "0926-227X",
publisher = "IOS Press",
number = "3",

}

Establishing and protecting digital identity in federation systems. / Bhargav-Spantzel, Abhilasha; Squicciarini, Anna C.; Bertino, Elisa.

In: Journal of Computer Security, Vol. 14, No. 3, 01.01.2006, p. 269-300.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Establishing and protecting digital identity in federation systems

AU - Bhargav-Spantzel, Abhilasha

AU - Squicciarini, Anna C.

AU - Bertino, Elisa

PY - 2006/1/1

Y1 - 2006/1/1

N2 - We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. Our solution supports a step by step approach according to which an individual can first establish a digital identity followed by a secure and protected use of such identity. We first introduce a flexible approach to establish a single sign-on (SSO) ID in a federation. Then we show how a user can leverage this SSO ID to establish certified and uncertified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and enhances privacy. The major contribution of this paper is a novel solution for protection against identity theft of these identity attributes. Our approach is based on the use of zero-knowledge proof protocols and distributed hash tables. Revocation mechanisms of the identity attributes are also developed. We illustrate how current revocation techniques can benefit from the underlying federation framework and the use of distributed hash tables. Finally, we formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in the case of semi-trusted "honest-yet curious" service providers, thus preventing against insider threat. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.

AB - We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. Our solution supports a step by step approach according to which an individual can first establish a digital identity followed by a secure and protected use of such identity. We first introduce a flexible approach to establish a single sign-on (SSO) ID in a federation. Then we show how a user can leverage this SSO ID to establish certified and uncertified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and enhances privacy. The major contribution of this paper is a novel solution for protection against identity theft of these identity attributes. Our approach is based on the use of zero-knowledge proof protocols and distributed hash tables. Revocation mechanisms of the identity attributes are also developed. We illustrate how current revocation techniques can benefit from the underlying federation framework and the use of distributed hash tables. Finally, we formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in the case of semi-trusted "honest-yet curious" service providers, thus preventing against insider threat. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.

UR - http://www.scopus.com/inward/record.url?scp=33745459183&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745459183&partnerID=8YFLogxK

U2 - 10.3233/JCS-2006-14303

DO - 10.3233/JCS-2006-14303

M3 - Article

AN - SCOPUS:33745459183

VL - 14

SP - 269

EP - 300

JO - Journal of Computer Security

JF - Journal of Computer Security

SN - 0926-227X

IS - 3

ER -