This document proposes a solution called purpose-aware attribute-based encryption to preserve user privacy in federated identity management systems. The solution involves a trusted identity provider encrypting user data with a disclosure policy specifying purposes, time limits, and domains that the data can be decrypted and used. Service providers receive time and purpose tokens that, when combined, only allow decrypting and using user data if the purposes and time constraints in the policy are satisfied. This prevents unauthorized access and insider attacks while allowing flexible yet privacy-preserving access control over user data in distributed environments.
Chennai Call Girls Porur Phone đ 8250192130 đ celebrity escorts service
Â
Privacy-preserving identity management in IDaaS
1. Privacy-preserving user identity
in Identity-as-a-Service
Tri Hoang Vo
Deutsche Telekom
21st Innovation in Clouds, Internet and Networks
On behalf of
Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences
Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
2. 1. introduction
identity management (IDM)
⢠Personal Identifiable Information (PII) is information of a person (e.g., home address, tax
identification number) which makes it possible to identify such individual.
⢠Application requires PII to:
ď Authorise a user request (Attribute-based Access Control).
ď Complete a business transaction.
⢠PII may be stored in a central Identity Provider (IdP) for multiple applications to use.
ď Advantages: SSO, less management cost for each application.
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 2
3. 1. introduction
Federated Identity management
Use case:
⢠Employees of Telekom use Cloud services hosted by Salesforce.
Solution:
⢠Employees authenticate at Telekom IdP & access Cloud services at Salesforce.
⢠We may transfer PII from Telekom (trusted domain) to Salesforce (visitor domain).
Problem:
⢠How to control Cloud services to access user data?
⢠How to prevent honest-but-curious, malware, and malicious IdP?
⢠How to prevent Salesforce operators to access user data (insider attack)?
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 3
4. 2. Related work
OAUTH?
⢠Service Provider (SP) redirects user to an authorisation server & ask for user permission (yes/no).
⢠Limitations:
ď No fined grained access control.
ď Requires user interaction over frontend service ď hidden chain of services not support.
ď Relies on an authorisation server ď honest-but-curious, insider attack.
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 4
5. 2. Related work
Anonymous credentials
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 5
⢠User performs Zero-knowledge Proof to an SP.
⢠Implementations:
⢠Idemix (IBM), U-Prove (Microsoft).
⢠ABC4Trust.
⢠Limitations:
ď User interaction over frontend service ď Limitation for hidden chain of services.
ď Works in one domain only ď Federated IDM (multiple domains) not support.
6. 3. solution
idea: EU Data Protection Directive
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 6
OECD Privacy guidelines:
⢠Data gathered for one purpose cannot be used for another purpose without user consent.
⢠After the purposes (for gathering data) are fulfilled, data must be deleted.
EU Data Protection Directive:
⢠PII only be transferred to a third country if that country provides an adequate level of protection.
ď Disclosure policy based on: purpose, time, and domain (/country).
7. 3. solution
purpose-aware attribute-based encryption
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 7
1. A trusted IdP encrypts user data & distribute it to federated IDM (e.g., Id1, Id2).
ď User data is encrypted with a disclosure policy.
2. User authenticates to the trusted IdP & get a cryptographic âtimeâ token.
3. SP1 receives the âtimeâ token & requests an environmental âpurposeâ token.
ď SP1 combines the âtimeâ token with the âpurposeâ token to decrypt user data.
ď Decryption works if the âtimeâ and the âpurposeâ token satisfy the disclosure policy.
4. SP1 may forward the âtimeâ token to a partner service (e.g., SP2 in Amazon).
8. 4. implemtation
disclosure policy example
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 8
User data is disclosed if it is used:
⢠To complete a current transaction.
⢠For the purposes of âpurchaseâ and âdeliveryâ.
⢠For all Cloud services hosted by âSalesforceâ in âEUâ.
⢠In a limited time.
Encrypt with pub key of Telekom
Encrypt with pub key of Salesforce
10. 4. implemtation
purpose token
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 10
Purpose token
bind to transaction id
bind to user id
⢠If token combination satisfies disclosure policy ď Decryption works.
⢠Tokens of different user id and transaction id ď decryption fails ď prevent collusion attack.
11. 5. results
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 11
Evaluation:
⢠Performance is fast (token generation 300ms, decryption 20ms) ď See paper.
Solved:
⢠Insider attack (user data is encrypted in visitor domains).
⢠Malicious hosting, honest-but-curious IdP (tamper codes ď cryptographic computation fails).
Usability:
⢠Cryptographic computation is the authorisation itself.
ď Our mechanism is used where no authorisation server needed.
⢠Purpose-aware access control (vs. traditional access control like RBAC) is suitable for sharing
sensitive user information in a large distributed and heterogeneous environment.
ď Internet of things.