Abstract
Identity management system(s) (IDMS) do rely on tokens in order to function. Tokens can contribute to privacy or security risk in IDMS. Specifically, the characteristics of tokens contribute greatly to security and privacy risks in IDMS. Our understanding of how the characteristics of token contribute to privacy and security risks will help us manage the privacy and security risks in IDMS. In this article, we introduce a taxonomy of privacy and security risks contributing factors to improve our understanding of how tokens affect privacy and security in IDMS. The taxonomy is based on a survey of IDMS articles. We observed that our taxonomy can form the basis for a risk assessment model.
Chapter PDF
References
MICROSOFT CORPORATION: The identity metasystem: Towards a privacy-compliant solution to the challenges of digital identity. White paper, MICROSOFT CORPORATION (2006)
Clarke, R.: A sufficiently rich model of identity, authentication and authorisation (2010), http://www.rogerclarke.com/ID/IdModel-1002.html
Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system (2002)
IBM, C.: Overview of token types. Framework document, IBM (2010), http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/cwbs_tokentype.html
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)
WP3: D3.1: Structured overview on prototypes and concepts of identity management systems. Deliverable 1.1, Future of Identity in the Information Society (2005)
Lutz, D.J., del Campo, R.: Bridging the gap between privacy and security in multi-domain federations with identity tokens. In: 2006 Third Annual International Conference on Mobile and Ubiquitous Systems, pp. 1–3 (2006)
Peterson, G.: Introduction to Identity Management Risk Metrics. IEEE Security & Privacy 4(4), 88–91 (2006)
Solove, D.: A taxonomy of privacy - GWU Law School Public Law Research Paper No.129. University of Pennsylvania Law Review 154(3), 477 (2006)
Office, I.C.: Privacy impact assessment handbook - version 2. Technical report, ICO, London, UK (2009)
Lutz, D.J.: Secure aaa by means of identity tokens in next generation mobile environments. In: ICWMC 2007: Proceedings of the Third International Conference on Wireless and Mobile Communications, p. 57. IEEE Computer Society, Washington, DC (2007)
Ardagna, C., Bussard, L., De Capitani di Vimercati, S., Neven, G., Paraboschi, S.: Pedrini: PrimeLife Policy Language. In: W3C Workshop on Access Control Application Scenarios, Luxembourg (2009)
Hansen, M.: Concepts of Privacy-Enhancing Identity Management for Privacy-Enhancing Security Technologies. In: Cas, J. (ed.) PRISE Conference Proceesings: Towards Privacy Enhancing Security Technologies - the Next Steps, Wien, pp. 91–103 (2009)
Iwaihara, M., Murakami, K., Ahn, G.-J., Yoshikawa, M.: Risk Evaluation for Personal Identity Management Based on Privacy Attribute Ontology. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 183–198. Springer, Heidelberg (2008)
WP2: D 2.1: Inventory of topics and clusters. Deliverable 2.0, Future of Identity in the Information Society (2005)
Pfitzmann, A., Hansen, M.: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management, A Consolidated Proposal for Terminology - v0.29 (2007), http://dud.inf.tu-dresden.de/Anon_Terminology.shtml
ISACA: The Risk IT Practitioner Guide. ISACA, 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA (2009) ISBN: 978-1-60420-116-1
Bygrave, L.A.: Data Protection Law Approaching Its Rationale, Logic and Limits. Kluwer Law International, Dordrecht (2002)
Fritsch, L.: Profiling and Location-Based Services. In: Hildebrandt, M., Gutwirth, S. (eds.) Profiling the European Citizen - Cross-Disciplinary Perspectives, pp. 147–160. Springer, Netherlands (2008)
Hansen, M., Schwartz, A., Cooper, A.: Privacy and identity management. IEEE Security and Privacy 6(2), 38–45 (2008)
Mac Gregor, W., Dutcher, W., Khan, J.: An Ontology of Identity Credentials - Part 1: Background and Formulation. Technical report, National Institute of Standard and Technology, Gaitersburg, MD, USA (2006)
Camenisch, J., Shelat, A., Sommer, D., Fischer-Hübner, S., Hansen, M., Krasemann, H., Lacoste, G., Leenes, R., Tseng, J.: Privacy and identity management for everyone. In: DIM 2005: Proceedings of the 2005 Workshop on Digital Identity Management, pp. 20–27. ACM, New York (2005)
Bramhall, P., Hansen, M., Rannenberg, K., Roessler, T.: User-centric identity management: New trends in standardization and regulation. IEEE Security and Privacy 5, 84–87 (2007)
Bar-or, O., Thomas, B.: Openid explained (2010), http://openidexplained.com/ (Online; accessed August 18, 2010)
Kruk, S.R., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.C.: D-foaf: Distributed identity management with access rights delegation. In: Mizoguchi, R., Shi, Z.-Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 140–154. Springer, Heidelberg (2006)
Mont, M.C., Beato, F.: On parametric obligation policies: Enabling privacy-aware information lifecycle management in enterprises. In: POLICY 2007: Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 51–55. IEEE Computer Society, Washington, DC (2007)
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001)
Siponen, M.T., Oinas-Kukkonen, H.: A review of information security issues and respective research contributions. SIGMIS Database 38(1), 60–80 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Paintsil, E., Fritsch, L. (2011). A Taxonomy of Privacy and Security Risks Contributing Factors. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds) Privacy and Identity Management for Life. Privacy and Identity 2010. IFIP Advances in Information and Communication Technology, vol 352. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20769-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-20769-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20768-6
Online ISBN: 978-3-642-20769-3
eBook Packages: Computer ScienceComputer Science (R0)