Skip to Main content Skip to Navigation
Conference papers

Privacy preservation and low cost authentication in federated identity management systems

Abstract : With a boom in online services generally accessed through a login/password couple, Internet users have an ever increasing number of digital identities. Indeed, Internet was not originally designed with the digital identity idea and, some solutions have been proposed to deploy digital-identity management architectures using existing standards and protocols such as InfoCard standard that is a user-centric approach or Liberty Alliance standard that is based on the notion of identity federation. Typical identity management architecture requires basic components like an identity provider (IDP) that authenticates the user in a secure manner allowing him/her to access to a service provider (SP) that provides services and an attribute provider (AP) to supply the user attributes to any authorized agent while not compromising privacy. Our presentation tries to bring a solution to some requirements by implementing a comprehensive platform that allows new secure electronic services while ensuring privacy within a transparent and interoperable federated identity management. The requirements are: - the user must have control on his personal data, - a great number of certificates must be provided to users with low cost, - privacy must be preserved, and - multiple services may belong to distinct spheres and accessible via various material supports like usb key, smart card or a mobile equipment. In this context, a new PKI-based protocol, called "2.0", has been proposed to guarantee secure access to electronic services at low cost. Based on three levels, PKI 2.0 protocol integrates: - An international hierarchical PKI that delivers and manages server certificates for identity providers, service providers and attribute providers. - An internal hierarchical PKI deployed by each registration authority (associated to each circle of trust) for all its agencies. - A "user" PKI, non hierarchical (without Certification Authorities), that addresses final users. The first step of our contribution concerns the "user" PKI that integrates an entity called “electronic notary” used instead of a certification authority, allowing the registration of new users (citizen/consumer/professional) within a registration authority that may be a proximity agency (telecom agency, banking agency) viewed as a trust third party. The proposed crypto-system is based on the same principle whatever asymmetric algorithm is used. The local registration authority delivers a "public key certificate" to the user (not signed by a Certification Authority) along with a private key using his usb key, his smart card or his cell phone. The local registration authority also generates and uploads the "public key property certificate" of the user (not signed by a Certification Authority) to its central electronic notary server through a secure channel. Thus, anyone, any IDP, any application and any process can request this electronic notary server to authenticate the digital identity of the user, letting it access at any time services belonging to distinct circles of trust. The second step occurs after the authentication is completed, and enables the user to automatically preserve his privacy during his electronic transactions by comparing the privacy policy of the SP against his privacy preferences. That is, on one hand, the SP is required to express his policy into our own XPACML language (eXtensible Privacy Access Control Markup Language), i.e. its own list of required/optional data attributes according to their categories, along with the associated P3P basic tags proposed by the P3P platform: Purpose, Recipient, and Retention. On the other hand, the user defines his preference for each of his ID card, for each data category and for each data attribute. According to our newly defined P3P tag classification, upon receiving the SP’s policy at the beginning of the transaction, the user is able to compare the XPACML policy sent by the SP against the preference of the user. In case each unitary negotiation relative to one piece of the policy is successfully done, then the whole negotiation is successful, otherwise, it fails.
Document type :
Conference papers
Complete list of metadata

https://hal.archives-ouvertes.fr/hal-01303898
Contributor : Médiathèque Télécom Sudparis & Institut Mines-Télécom Business School Connect in order to contact the contributor
Submitted on : Friday, April 22, 2016 - 3:32:42 PM
Last modification on : Monday, November 1, 2021 - 5:32:01 PM

Identifiers

  • HAL Id : hal-01303898, version 1

Citation

Samia Bouzefrane, Pascal Thoniel, Maryline Laurent, Kheira Bekara. Privacy preservation and low cost authentication in federated identity management systems. E-SMART 2011 : The Future of Digital Security Technologies, Sep 2011, Nice, France. ⟨hal-01303898⟩

Share

Metrics

Record views

121

Files downloads

29