User-Centric Handling of Identity Agent Compromise

  • Daisuke Mashima
  • Mustaque Ahamad
  • Swagath Kannan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Digital identity credentials are a key enabler for important online services, but widespread theft and misuse of such credentials poses serious risks for users. We believe that an identity management system (IdMS) that empowers users to become aware of how and when their identity credentials are used is critical for the success of such online services. Furthermore, rapid revocation and recovery of potentially compromised credentials is desirable. By following a user-centric identity-usage monitoring concept, we propose a way to enhance a user-centric IdMS by introducing an online monitoring agent and an inexpensive storage token that allow users to flexibly choose transactions to be monitored and thereby to balance security, privacy and usability. In addition, by utilizing a threshold signature scheme, our system enables users to revoke and recover credentials without communicating with identity providers. Our contributions include a system architecture, associated protocols and an actual implementation of an IdMS that achieves these goals.


User Device Legitimate User Identity Agent Monitoring Agent Identity Provider 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Hansen, M., Berlich, P., Camenisch, J., Clauß, S., Pfitzmann, A., Waidner, M.: Privacy-Enhancing Identity Management. Information Security Technical Report (ISTR) 9(1) (2004)Google Scholar
  2. 2.
    Chappell, D., et al.: Introducing Windows CardSpace,
  3. 3.
    Bauer, D., et al.: Video demonstration of Credential-Holding Remote Identity Agent (2007),
  4. 4.
    Ahamad, M., et al.: GUIDE-ME: Georgia Tech User Centric Identity Management Environment. In: Digital Identity Systems Workshop, New York (2007)Google Scholar
  5. 5.
    Lampson, B., et al.: Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems 10(4) (1992)Google Scholar
  6. 6.
  7. 7.
  8. 8.
    Mashima, D., Ahamad, M.: Towards a User-Centric Identity-Usage Monitoring System, In: Proc. of ICIMP 2008 (2008)Google Scholar
  9. 9.
    Cameron, K.: The Laws of Identity (2004),
  10. 10.
    Bauer, D., Blough, D., Cash, D.: Minimal Information Disclosure with Efficiently Verifiable Credentials, In: Proc. of the Workshop on Digital Identity Management (2008)Google Scholar
  11. 11.
    Recordon, D., Reed, D.: OpenID 2.0: A Platform for User-Centric Identity Management. In: Proceedings of the 2nd ACM workshop on DIM (2006)Google Scholar
  12. 12.
  13. 13.
    Desmedt, Y.G., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Java Threshold Signature Package,
  16. 16.
    Akamai Technologies. Retail Web Site Performance (2006),
  17. 17.
    Bhargav-Spantzel, A., et al.: User Centricity: A Taxonomy and Open Issues. Journal of Computer Security (2007)Google Scholar
  18. 18.
    RSA SecureID,
  19. 19.
    Jaeger, T., et al.: PRIMA: Policy Reduced Integrity Measurement Architecture. In: The 11th ACM Symp. on Access Controll Models and Technologies (2006)Google Scholar
  20. 20.
    Liberty Alliance Project. Liberty Alliance ID-FF 1.2 Specifications,
  21. 21.
    Hardt, D., et al.: OpenID Attribute Exchange 1.0 - Final,
  22. 22.
    Desmedt, Y.: Some Recent Research Aspects of Threshold Cryptography. LNCS (1997)Google Scholar
  23. 23.
    Zhou, L., et al.: COCA: A secure distributed on-line certification authority. ACM Transaction on Computer Systems (2002)Google Scholar
  24. 24.
    Yi, S., et al.: MOCA: Mobile Certificate Authority for Wireless Ad Hoc Networks. In: The 2nd Annual PKI Research Workshop Pre-Proceedings (2003)Google Scholar
  25. 25.
    MacKenzie, P., Reiter, M.K.: Networked cryptographic devices resilient to capture. In: Proc. of IEEE Symposium on Security and Privacy (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Daisuke Mashima
    • 1
  • Mustaque Ahamad
    • 1
  • Swagath Kannan
    • 1
  1. 1.Georgia Institute of TechnologyAtlantaUSA

Personalised recommendations