User-centric identity as a service-architecture for eIDs with selective attribute disclosure

Unique identification and secure authentication of users are essential processes in numerous security-critical areas such as e-Government, e-Banking, or e-Business. Therefore, many countries (particularly in Europe) have implemented national eID solutions within the past years. Such implementations are typically based on smart cards holding some certified collection of citizen attributes and hence follow a client-side and user-centric approach. However, most of the implementations only support all-or-nothing disclosure of citizen attributes and thus do not allow privacy-friendly selective disclosure of attributes. Consequently, the complete identity of the citizen (all attributes) are always revealed to identity providers and/or service providers, respectively. In this paper, we propose a novel user-centric identification and authentication model for eIDs, which supports selective attribute disclosure but only requires minimal changes in the existing eID architecture. In addition, our approach allows service providers to keep their infrastructure nearly untouched. Latter is often an inhibitor for the use of privacy-preserving cryptography like anonymous credentials in such architectures. Furthermore, our model can easily be deployed in the public cloud as we do not require full trust in identity providers. This fully features the Identity as a Service-paradigm while at the same time preserves citizens' privacy. We demonstrate the applicability of our model by adopting to the Austrian eID system to our approach.

[1]  Herbert Leitold,et al.  STORK: Architecture, Implementation and Pilots , 2010, ISSE.

[2]  Giles Hogben,et al.  Privacy Features: Privacy features of European eID card specifications , 2008 .

[3]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[4]  Javier López,et al.  Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[5]  A. Jøsang,et al.  User Centric Identity Management , 2005 .

[6]  Daniel Slamanig,et al.  On Privacy-Preserving Ways to Porting the Austrian eID System to the Public Cloud , 2013, SEC.

[7]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[8]  Jan Camenisch,et al.  Anonymous credentials on a standard java card , 2009, CCS.

[9]  Christian Hanser,et al.  Blank digital signatures , 2013, ASIA CCS '13.

[10]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[11]  Audun Jøsang,et al.  Usability and Privacy in Identity Management Architectures , 2007, ACSW.

[12]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[13]  Kai Rannenberg,et al.  Attribute-Based Credentials for Trust (ABC4Trust) , 2012, TrustBus.

[14]  Reinhard Posch,et al.  Security architecture of the Austrian citizen card concept , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[15]  Daniel Slamanig,et al.  Privacy-preserving realization of the STORK framework in the public cloud , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[16]  Henrich Christopher Pöhls,et al.  Non-interactive Public Accountability for Sanitizable Signatures , 2012, EuroPKI.

[17]  Siddhartha Arora National e-ID card schemes: A European overview , 2008, Inf. Secur. Tech. Rep..

[18]  Marian Margraf The New German ID Card , 2010, ISSE.

[19]  Urs Gasser,et al.  Case Study: Digital Identity Interoperability and eInnovation , 2007 .

[20]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[21]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..