The evolution of identity management using the example of web-based applications

Abstract The typical identity management (IdM) techniques used in web-based applications are about to change from application-specific means for identification, authentication and authorization towards the support of standardized, secure and privacy friendly mechanisms for Single Sign-On (SSO). In this paper we outline the different phases of this evolution, which started with the introduction of standardized interfaces for authentication and authorization and allowed to shift these sensitive tasks from the application towards the web application server. In a second phase the interfaces were extended to support authentication and authorization in distributed systems and feature SSO-techniques. The third phase adds identification and aims at providing more security for distributed authentication infrastructures and finally there is a trend towards providing more privacy friendly mechanisms for identity management in the future.

[1]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[2]  Peter G. Neumann,et al.  Risks of passwords , 1994, CACM.

[3]  Markus Franke,et al.  SAMLized Kerberos , 2005, Sicherheit.

[4]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[5]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[6]  Drummond Reed,et al.  OpenID identity discovery with XRI and XRDS , 2008, IDtrust '08.

[7]  Ahmad-Reza Sadeghi,et al.  Browser Model for Security Analysis of Browser-Based Protocols , 2005, ESORICS.

[8]  Jörg Schwenk,et al.  TLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated Identity Management , 2008, BIOSIG.

[9]  Jörg Schwenk,et al.  Security Analysis of OpenID , 2010, Sicherheit.

[10]  Tibor Jager,et al.  A Browser-Based Kerberos Authentication Scheme , 2008, ESORICS.

[11]  Seung-Hun Jin,et al.  The Security Limitations of SSO in OpenID , 2008, 2008 10th International Conference on Advanced Communication Technology.

[12]  Jörg Schwenk,et al.  Stronger TLS bindings for SAML assertions and SAML artifacts , 2008, SWS '08.

[13]  Jörg Schwenk,et al.  SAMLizing the European Citizen Card , 2009, BIOSIG.

[14]  Christian Paquin,et al.  U-Prove Technology Overview V1.1 (Revision 2) , 2013 .

[15]  Rong Zhang,et al.  Services in the Cloud Computing era: A survey , 2010, 2010 4th International Universal Communication Symposium.

[16]  Charanjit S. Jutla,et al.  Universally Composable Security Analysis of OAuth v2.0 , 2011, IACR Cryptol. ePrint Arch..

[17]  San-Tsai Sun,et al.  Simple But Not Secure : An Empirical Security Analysis of OAuth 2 . 0-Based Single Sign-On Systems , 2012 .

[18]  Rajkumar Buyya,et al.  Article in Press Future Generation Computer Systems ( ) – Future Generation Computer Systems Cloud Computing and Emerging It Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility , 2022 .

[19]  Birgit Pfitzmann,et al.  SAML artifact information flow revisited , 2006 .

[20]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[21]  Thomas Groß,et al.  Security analysis of the SAML single sign-on browser/artifact profile , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[22]  Jan Camenisch,et al.  Efficient Attributes for Anonymous Credentials , 2012, TSEC.

[23]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[24]  Elisa Bertino,et al.  Location-Aware Authentication and Access Control Concepts and Issues , 2009, 2009 International Conference on Advanced Information Networking and Applications.

[25]  Sebastian Gajek A Universally Composable Framework for the Analysis of Browser-Based Security Protocols , 2008, ProvSec.

[26]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[27]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[28]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[29]  Birgit Pfitzmann,et al.  Analysis of Liberty Single-Sign-on with Enabled Clients , 2003, IEEE Internet Comput..

[30]  Detlef Hühnlein,et al.  How to Use ISO/IEC 24727-3 with Arbitrary Smart Cards , 2007, TrustBus.

[31]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.