Skip to main content
SpringerLink
Log in

Federated Identity Management

  • Chapter
Security, Privacy, and Trust in Modern Data Management

Part of the book series: Data-Centric Systems and Applications ((DCSA))

Abstract

The more real business and interaction with public authorities is performed in digital form, the more important the handling of identities over open networks becomes. The rise in identity theft as a result of the misuse of global but unprotected identifiers like credit card numbers is one strong indicator of this. Setting up individual passwords between a person and every organization he or she interacts with also offers very limited security in practice. Federated identity management addresses this critical issue. Classic proposals like Kerberos and PKIs never gained wide acceptance because of two problems: actual deployment to end users and privacy. We describe modern approaches that solve these problems. The first approach is browser-based protocols, where the user only needs a standard browser without special settings. We discuss the specific protocol types and security challenges of this protocol class, as well as what level of privacy can and cannot be achieved within this class. The second approach, private credentials, solves the problems that none of the prior solutions could solve, but requires the user to install some local software. Private credentials allow the user to reveal only the minimum information necessary to conduct transactions. In particular, it enables unlinkable transactions even for certified attributes. We sketch the cryptographic solutions and describe how optional properties such as revocability can be achieved, in particular in the idemix system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In First ACM Conference on Computer and Communication Security, pages 62–73. Association for Computing Machinery, 1993.

    Google Scholar 

  2. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Matthew K. Franklin, editor, Advances in Cryptology — CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer Verlag, 2004.

    Google Scholar 

  3. D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In J. of Cryptology, vol. 17, no. 4, pp. 297–319, 2004.

    MATH  MathSciNet  Google Scholar 

  4. S. Brands. Untraceable off-line cash in wallets with observers. In Douglas R. Stinson, editor, Advances in Cryptology — CRYPTO’ 93, volume 773 of LNCS, pages 302–318, 1993.

    Google Scholar 

  5. S. Brands. Rethinking Public Key Infrastructure and Digital Certificates-Building in Privacy. PhD thesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands, 1999.

    Google Scholar 

  6. E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In Proc. 11th ACM Conference on Computer and Communications Security, pages 225–234. ACM press, 2004.

    Google Scholar 

  7. J. Camenisch. Cryptographic Protocols, chapter Direct Anonymous Attestation Explained. Wenbo Mao and Markus Jakobsson (Editors). Addison-Wesley, 2006. to appear.

    Google Scholar 

  8. J. Camenisch and E. van Herreweghen. Design and implementation of the idemix anonymous credential system. In Proc. 9th ACM Conference on Computer and Communications Security. acm press, 2002.

    Google Scholar 

  9. J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of LNCS, pages 93–118. Springer Verlag, 2001.

    Google Scholar 

  10. J. Camenisch and A. Lysyanskaya. A signature scheme with efficient protocols. In Stelvio Cimato, Clemente Galdi, and Giuseppe Persiano, editors, Security in Communication Networks, Third International Conference, SCN 2002, volume 2576 of LNCS, pages 268–289. Springer Verlag, 2003.

    Google Scholar 

  11. J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In Matthew K. Franklin, editor, Advances in Cryptology — CRYPTO 2004, volume 3152 of LNCS, pages 56–72. Springer Verlag, 2004.

    Google Scholar 

  12. J. Camenisch and V. Shoup. Practical verifiable encryption and decryption of discrete logarithms. In Dan Boneh, editor, Advances in Cryptology — CRYPTO 2003, volume 2729 of LNCS, pages 126–144, 2003.

    Google Scholar 

  13. J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Burt Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, volume 1296 of LNCS, pages 410–424. Springer Verlag, 1997.

    Google Scholar 

  14. S. Cantor and M. Erdos. Shibboleth-architecture draft v05, May 2002. http: //shibboleth.internet2.edu/docs/draft-internet2-shibboleth-arch-v0%5.pdf.

    Google Scholar 

  15. D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–88, February 1981.

    Article  Google Scholar 

  16. D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030–1044, October 1985.

    Article  Google Scholar 

  17. D. Chaum and J.H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pages 118–167. Springer-Verlag, 1987.

    Google Scholar 

  18. I.B. Damgård. Efficient concurrent zero-knowledge in the auxiliary string model. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, volume 1807 of LNCS, pages 431–444. Springer Verlag, 2000.

    Google Scholar 

  19. I.B. Damgård. Payment systems and credential mechanism with provable security against abuse by individuals. In Shafi Goldwasser, editor, Advances in Cryptology — CRYPTO’ 88, volume 403 of LNCS, pages 328–335. Springer Verlag, 1990.

    Google Scholar 

  20. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology — CRYPTO’ 86, volume 263 of LNCS, pages 186–194. Springer Verlag, 1987.

    Google Scholar 

  21. S. Galbraith. Advances in elliptic curve cryptography, chapter Pairings. Cambridge University Press, 2005.

    Google Scholar 

  22. T. Groß. Security analysis of the SAML Single Sign-on Browser/Artifact profile. In Proc. 19th Annual Computer Security Applications Conference. IEEE Computer Society, December 2003.

    Google Scholar 

  23. T. Groß and B. Pfitzmann. Proving a WS-Federation Passive Requestor profile. In ACM Workshop on Secure Web Services (SWS). ACM Press, to appear, 2004.

    Google Scholar 

  24. T. Groß, B. Pfitzmann, and A.R. Sadeghi. Browser model for security analysis of browser-based protocols. In Proc. 10th European Symposium on Research in Computer Security (ESORICS), volume 3679 of LNCS, pages 489–508. Springer, 2005.

    Google Scholar 

  25. T. Groß, B. Pfitzmann, and A.R. Sadeghi. Proving a WS-Federation Passive Requestor profile with a browser model. In ACM Workshop on Secure Web Services (SWS), pages 54–64. ACM Press, 2005.

    Google Scholar 

  26. M. Hur, R.D. Johnson, A. Medvinsky, Y. Rouskov, J. Spellman, S. Weeden, and A. Nadalin. Passive Requestor Federation Interop Scenario, Version 0.4, February 2004. ftp://www6.software.ibm.com/software/developer/library/ws-fpscenario2.d%oc.

    Google Scholar 

  27. Harris Interactive. First major post-9/11 privacy survey finds consumers demanding companies do more to protect privacy. Rochester, http://www.harrisinteractive.com/news/allnewsbydate.asp?NewsID=429, February 2002.

    Google Scholar 

  28. C. Kaler and A. Nadalin (ed.). Web Services Federation Language (WS-Federation), Version 1.0, July 2003. BEA and IBM and Microsoft and RSA Security and VeriSign, http://www-106.ibm.com/developerworks/webservices/library/ws-fed/.

    Google Scholar 

  29. C. Kaler and A. Nadalin (ed.). WS-Federation: Passive Requestor Profile, Version 1.0, July 2003. BEA and IBM and Microsoft and RSA Security and VeriSign, http://www-106.ibm.com/developerworks/library/ws-fedpass/.

    Google Scholar 

  30. D.P. Kormann and A.D. Rubin. Risks of the Passport single signon protocol. Computer Networks, 33:51–58, 1994.

    Article  Google Scholar 

  31. Liberty Alliance Project. Liberty Phase 2 final specifications, November 2003. http://www.projectliberty.org/.

    Google Scholar 

  32. A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Howard Heys and Carlisle Adams, editors, Selected Areas in Cryptography, volume 1758 of LNCS. Springer Verlag, 1999.

    Google Scholar 

  33. Microsoft Corporation..NET Passport documentation, in particular Technical Overview, and SDK 2.1 Documentation (started 1999), September 2001.

    Google Scholar 

  34. OASIS Standard. Security assertion markup language (SAML) V1.1, Nov 2002.

    Google Scholar 

  35. OASIS Standard. Security assertion markup language (SAML) V2.0, March 2005.

    Google Scholar 

  36. T.P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Joan Feigenbaum, editor, Advances in Cryptology — CRYPTO’ 91, volume 576 of LNCS, pages 129–140. Springer Verlag, 1992.

    Google Scholar 

  37. B. Pfitzmann. Privacy in enterprise identity federation — policies for Liberty single signon. In Proc. 3rd International Workshop on Privacy Enhancing Technologies (PET), volume 2760 of LNCS, pages 189–204. Springer, 2003.

    Google Scholar 

  38. B. Pfitzmann. Privacy in enterprise identity federation — policies for Liberty 2 single signon. Elsevier Information Security Technical Report (ISTR), 9(1):45–58, 2004. http://www.sciencedirect.com/science/journal/13634127.

    Article  Google Scholar 

  39. B. Pfitzmann and M. Waidner. Privacy in browser-based attribute exchange. In Proc. 1st ACM Workshop on Privacy in the Electronic Society (WPES), pages 52–62, 2002.

    Google Scholar 

  40. B. Pfitzmann and M. Waidner. Analysis of Liberty single-signon with enabled clients. IEEE Internet Computing, 7(6):38–44, 2003.

    Article  Google Scholar 

  41. D. Pointcheval and J. Stern. Security proofs for signature schemes. In Ueli Maurer, editor, Advances in Cryptology — EUROCRYPT’ 96, volume 1070 of LNCS, pages 387–398. Springer Verlag, 1996.

    Google Scholar 

  42. C.P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.

    Article  MathSciNet  Google Scholar 

  43. A. Westin. Consumer privacy attitudes and actions: What the surveys find 2005–2006. Privacy Year in Review, Projections and Trends for 2006, Privacy & American Business, January 2006.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Zurich Research Laboratory, Switzerland

    Jan Camenisch & Birgit Pfitzmann

Authors
  1. Jan Camenisch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Birgit Pfitzmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Philips Research Europe, High Tech Campus 34, 5656 AE, Eindhoven, The Netherlands

    Milan Petković

  2. Philips Research Europe, Philips Research / Twente University, High Tech Campus 34, 5656 AE, Eindhoven, The Netherlands

    Willem Jonker

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Camenisch, J., Pfitzmann, B. (2007). Federated Identity Management. In: Petković, M., Jonker, W. (eds) Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69861-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-69861-6_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69860-9

  • Online ISBN: 978-3-540-69861-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation