Dieter Sommer

User centricity: a taxonomy and open issues

User centricity is a significant concept in federated identity management (FIM), as it provides for stronger user control and privacy. However, several notions of user-centricity in the FIM community render its semantics unclear and hamper future research in this area. Therefore, we consider user-centricity abstractly and establish a comprehensive taxonomy encompassing user-control, architecture, and usability aspects of user-centric FIM. On the systems layer, we discuss user-centric FIM systems and classify them into two predominant variants with significant feature sets. We distinguish credential-focused systems, which advocate offline identity providers and long-term credentials at a users client, and relationship-focused systems, which rely on the relationships between users and online identity providers that create short-term credentials during transactions. Note that these two notions of credentials are quite different. The further one encompasses cryptographic credentials as defined by Lysyanskaya et al. [30], the latter one federation tokens as used in todays FIM protocols like Liberty.We raise the question where user-centric FIM systems may go--within the limitations of the user-centricity paradigm as well as beyond them. Firstly, we investigate the existence of a universal user-centric FIM system that can achieve a superset of security and privacy properties as well as the characteristic features of both pre-dominant classes. Secondly, we explore the feasibility of reaching beyond user-centricity, that is, allowing a user of a user-centric FIM system to again give away user-control by means of an explicit act of delegation. We do neither claim a solution for universal user-centric systems nor for the extension beyond the boundaries ventures by leveraging the properties of a credential-focused FIM system.

Exploiting cryptography for privacy-enhanced access control: A result of the PRIME Project

We conduct more and more of our daily interactions over electronic media. The EC-funded project PRIME (Privacy and Identity Management for Europe) envisions that individuals will be able to interact in this information society in a secure and safe way while retaining control of their privacy. The project had set out to prove that existing privacy-enhancing technologies allow for the construction of a user-controlled identity management system that comes surprisingly close to this vision. This paper describes two key elements of the PRIME identity management systems: anonymous credentials and policy languages that fully exploit the advanced functionality offered by anonymous credentials. These two key elements enable the users to carry out transactions, e.g., over the Internet, revealing only the strictly necessary personal information. Apart from presenting for the first time these two key results, this paper also motivates the need for privacy enhancing identity management, gives concrete requirements for such a system and then describes the key principles of the PRIME identity management solution.

A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures

Interactions in electronic media require mutual trust to be established, preferably through the release of certified information. Disclosing certificates for provisioning the required information often leads to the disclosure of additional information not required for the purpose of the interaction. For instance, ordinary certificates unnecessarily reveal their binary representation.

Anonymous yet accountable access control

This paper introduces a novel approach for augmenting attribute-based access control systems in a way that allows them to offer fully anonymous access to resources while at the same time achieving strong accountability guarantees. We assume that users hold attribute certificates and we show how to exploit cryptographic zero-knowledge proofs to allow requesting users to prove that they hold suitable certificates for accessing a resource. In contrast to the commonly taken approach of sending all possibly relevant certificates to the access control system, our approach hence does not release any information to the access control system except for the presence of a set of certificates satisfying the access condition. This constitutes the minimal amount of information that has to be released for coming up with a correct access decision, and our approach is the first to achieve this. Additionally given a trusted third party for identity escrow, we furthermore show that a concise application of zero-knowledge proofs offers the access control system the capability to hold a requesting user accountable for her actions under specific, well-defined conditions. All the employed cryptographic techniques are highly efficient, and an architecture for exploiting our approach in practical scenarios is already in place.

A card requirements language enabling privacy-preserving access control

We address the problem of privacy-preserving access control in distributed systems. Users commonly reveal more personal data than strictly necessary to be granted access to online resources, even though existing technologies, such as anonymous credential systems, offer functionalities that would allow for privacy-friendly authorization. An important reason for this lack of technology adoption is, as we believe, the absence of a suitable authorization language offering adequate expressiveness to address the privacy-friendly functionalities. To overcome this problem, we propose an authorization language that allows for expressing access control requirements in a privacy-preserving way. Our language is independent from concrete technology, thus it allows for specifying requirements regardless of implementation details while it is also applicable for technologies designed without privacy considerations. We see our proposal as an important step towards making access control systems privacy-preserving.

A formal model of identity mixer

Identity Mixer is an anonymous credential system developed at IBM that allows users for instance to prove that they are over 18 years old without revealing their name or birthdate. This privacy-friendly technology is realized using zero-knowledge proofs. We describe a formal model of Identity Mixer that is well-suited for automated protocol verification tools in the spirit of black-box cryptography models.

Securing user inputs for the web

The goal of this paper is to study secure and usable methods for providing user input to a website. Three principles define security for us: certification, awareness, and privacy. Four principles define usability: contextual awareness, semantic awareness, prodigious use of screen space, and the availability of recommended choices.We first describe how current approaches to the solicitation of user input on the web fail on both fronts: they either can not handle certified data, do not respect user privacy, or have various usability problems which frustrate and perhaps even mislead the user.To address security, we suggest the use of more sophisticated private certificate systems. To address usability, we propose a new contextual, browser-integrated interface for using private certificate systems. Our system incorporates many recent design principles discussed in the security and usability space. It works in the main content area of a webpage; it focuses on making the user aware of the who, what, where, when and why of a data request, and it does not use valuable screen space when it is not relevant.

Security and Trust through Electronic Social Network-Based Interactions

The success of a Public Key Infrastructure such as the Web of Trust (WoT) heavily depends on its ability to ensure that public keys are used by their legitimate owners, thereby avoiding malicious impersonations. To guarantee this property, the WoT requires users to physically gather, check each other’s credentials (e.g., ID cards), to sign the trusted keys, and to subsequently monitor their validity over time. This trust establishment and management procedure is rather cumbersome and, as we believe, the main reason for the limited adoption of the WoT. To overcome this problem, we propose a solution that leverages the intrinsic properties of Electronic Social Networks (ESN) to establish and manage trust in the WoT. In particular, we exploit dynamically changing profile and contact information, as well as interactions among users of ESNs to gain and maintain trust in the legitimacy of key ownerships without the disadvantages of the traditional WoT approach. We see our proposal as an effective way to make security and trust solutions available to a broad audience of non-technical users.

Enhancing privacy of federated identity management protocols: anonymous credentials in WS-security

Federated Identity Management (FIM) allows for securely provisioning certified user identities and attributes to relying parties. It establishes higher security and data quality compared to user-asserted attributes and provides for stronger user privacy protection than technologies based upon user-side attribute certificates. Therefore, industry pursues the deployment of FIM solutions as one cornerstone of the WS-Security framework. Current research proposes even more powerful methods for security and privacy protection in identity management with so called anonymous credential systems. Being based on new, yet well-researched, signature schemes and cryptographic zero-knowledge proofs, these systems have the potential to improve the capabilities of FIM by superior privacy protection, user control, and multiple use of single credentials. Unfortunately, anonymous credential systems and their semantics being based upon zero-knowledge proofs are incompatible with the XML Signature Standard which is the basis for the WS-Security and most FIM frameworks. We put forth a general construction for integrating anonymous credential systems with the XML Signature Standard and FIM protocols. We apply this method to the WS-Security protocol framework and thus obtain a very flexible WS-Federation Active Requestor Profile with strong user control and superior privacy protection.

Cross-Domain Attribute Conversion for Authentication and Authorization

In bio-security emergencies, such as an outbreak of an exotic animal disease, it is essential that the organizations involved in combating this outbreak collaborate effectively and efficiently. To achieve such a collaboration potentially confidential infrastructure and resources need to be shared amongst members of the participating organizations. In AU2EU we demonstrate the combination of existing data minimizing authentication, attribute-based authorization technologies to dynamically enable collaborations between these organization. However, a key problem that occurs during the establishment of such collaboration is different terminologies for similar authorization attributes. To overcome these differences and to minimize the overhead for new organizations to join an existing consortium we propose an ontology-based solution for converting attributes from one domain vocabulary to another. Additionally, we propose a methodology to construct a shared domain vocabulary. Using a shared domain vocabulary in the conversion process decreases the amount of alignments required for collaborating. We integrate and demonstrate the feasibility of this approach in a real-life scenario within the scope of AU2EU. This paper presents preliminary work, which is currently being deployed and will be evaluated in the upcoming months.