User-Centric Handling of Identity Agent Compromise

Digital identity credentials are a key enabler for important online services, but widespread theft and misuse of such credentials poses serious risks for users. We believe that an identity management system (IdMS) that empowers users to become aware of how and when their identity credentials are used is critical for the success of such online services. Furthermore, rapid revocation and recovery of potentially compromised credentials is desirable. By following a user-centric identity-usage monitoring concept, we propose a way to enhance a user-centric IdMS by introducing an online monitoring agent and an inexpensive storage token that allow users to flexibly choose transactions to be monitored and thereby to balance security, privacy and usability. In addition, by utilizing a threshold signature scheme, our system enables users to revoke and recover credentials without communicating with identity providers. Our contributions include a system architecture, associated protocols and an actual implementation of an IdMS that achieves these goals.

[1]  M. Ahamad,et al.  Towards a User-Centric Identity-Usage Monitoring System , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[2]  Yvo Desmedt,et al.  Some Recent Research Aspects of Threshold Cryptography , 1997, ISW.

[3]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[4]  K. Cameron,et al.  The Laws of Identity , 2005 .

[5]  Marit Hansen,et al.  Privacy-enhancing identity management , 2004, Inf. Secur. Tech. Rep..

[6]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[7]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[8]  David Cash,et al.  Minimal information disclosure with efficiently verifiable credentials , 2008, DIM '08.

[9]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[10]  Cédric Tabin,et al.  Liberty Alliance Project , 2007 .

[11]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[12]  Robin Kravets,et al.  MOCA : MObile Certificate Authority for Wireless Ad Hoc Networks , 2004 .

[13]  Abhilasha Bhargav-Spantzel,et al.  User centricity: a taxonomy and open issues , 2006, DIM '06.

[14]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[15]  Robbert van Renesse,et al.  COCA: a secure distributed online certification authority , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[16]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[17]  Michael K. Reiter,et al.  Networked cryptographic devices resilient to capture , 2003, International Journal of Information Security.