Privacy-aware identity management for client-side mashup applications

This paper concerns the problem of identity management in modern Web-2.0-based mashup applications. Identity management supports convenient access to information when mashups are used in sensitive environments, such an banking, investment and online shopping, by providing services such as single sign-on. We present Web2ID, a new identity management protocol tailored for mashup applications. Web2ID leverages a secure mashup framework and enables transfer of credentials between a service provider and a consumer. We also describe a new relay framework in which communication between two service providers is mediated by a relay agent within the mashup. We show that Web2ID is privacy-preserving and prevents service providers from learning a user's surfing habits. We present an implementation of Web2ID and the relay framework using a JavaScript-based library that executes within the browser. Our implementation does not require client-side changes and is therefore fully compatible even with legacy browsers. We also highlight the key challenges faced in creating a portable, in-browser library to support identity management in mashups.

[1]  Birgit Pfitzmann,et al.  Federated Identity-Management Protocols , 2003, Security Protocols Workshop.

[2]  TamassiaRoberto,et al.  Notarized federated ID management and authentication , 2008 .

[3]  Vinod Ganapathy,et al.  OMOS: A Framework for Secure Communication in Mashup Applications , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[4]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[5]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[6]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[7]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[8]  Michael Steiner,et al.  SMash: secure component model for cross-domain mashups on unmodified browsers , 2008, WWW.

[9]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[10]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[11]  Birgit Pfitzmann,et al.  Privacy in Enterprise Identity Federation - Policies for Liberty Single Signon , 2003, Privacy Enhancing Technologies.

[12]  Minos N. Garofalakis,et al.  MashMaker: mashups for the masses , 2007, SIGMOD '07.

[13]  Abhi Shelat,et al.  Privacy and identity management for everyone , 2005, DIM '05.

[14]  Marit Hansen,et al.  Privacy and Identity Management , 2008, IEEE Security & Privacy.

[15]  Birgit Pfitzmann,et al.  Privacy in browser-based attribute exchange , 2002, WPES '02.

[16]  Mikhail J. Atallah,et al.  Point-Based Trust: Define How Much Privacy Is Worth , 2006, ICICS.

[17]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[18]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[19]  Michael T. Goodrich,et al.  Notarized federated ID management and authentication , 2008, J. Comput. Secur..

[20]  Elisa Bertino,et al.  Establishing and protecting digital identity in federation systems , 2005, DIM '05.