SlideShare ist ein Scribd-Unternehmen logo

Privacy-preserving identity management in IDaaS

•
•
Hoang Tri Vo
Hoang Tri Vo

This document proposes a solution called purpose-aware attribute-based encryption to preserve user privacy in federated identity management systems. The solution involves a trusted identity provider encrypting user data with a disclosure policy specifying purposes, time limits, and domains that the data can be decrypted and used. Service providers receive time and purpose tokens that, when combined, only allow decrypting and using user data if the purposes and time constraints in the policy are satisfied. This prevents unauthorized access and insider attacks while allowing flexible yet privacy-preserving access control over user data in distributed environments.

Internet
1 von 11
Downloaden Sie, um offline zu lesen
Privacy-preserving user identity in Identity-as-a-Service Tri Hoang Vo Deutsche Telekom 21st Innovation in Clouds, Internet and Networks On behalf of Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
1. introduction identity management (IDM) • Personal Identifiable Information (PII) is information of a person (e.g., home address, tax identification number) which makes it possible to identify such individual. • Application requires PII to:  Authorise a user request (Attribute-based Access Control).  Complete a business transaction. • PII may be stored in a central Identity Provider (IdP) for multiple applications to use.  Advantages: SSO, less management cost for each application. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 2
1. introduction Federated Identity management Use case: • Employees of Telekom use Cloud services hosted by Salesforce. Solution: • Employees authenticate at Telekom IdP & access Cloud services at Salesforce. • We may transfer PII from Telekom (trusted domain) to Salesforce (visitor domain). Problem: • How to control Cloud services to access user data? • How to prevent honest-but-curious, malware, and malicious IdP? • How to prevent Salesforce operators to access user data (insider attack)? 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 3
2. Related work OAUTH? • Service Provider (SP) redirects user to an authorisation server & ask for user permission (yes/no). • Limitations:  No fined grained access control.  Requires user interaction over frontend service  hidden chain of services not support.  Relies on an authorisation server  honest-but-curious, insider attack. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 4
2. Related work Anonymous credentials 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 5 • User performs Zero-knowledge Proof to an SP. • Implementations: • Idemix (IBM), U-Prove (Microsoft). • ABC4Trust. • Limitations:  User interaction over frontend service  Limitation for hidden chain of services.  Works in one domain only  Federated IDM (multiple domains) not support.
3. solution idea: EU Data Protection Directive 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 6 OECD Privacy guidelines: • Data gathered for one purpose cannot be used for another purpose without user consent. • After the purposes (for gathering data) are fulfilled, data must be deleted. EU Data Protection Directive: • PII only be transferred to a third country if that country provides an adequate level of protection.  Disclosure policy based on: purpose, time, and domain (/country).
3. solution purpose-aware attribute-based encryption 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 7 1. A trusted IdP encrypts user data & distribute it to federated IDM (e.g., Id1, Id2).  User data is encrypted with a disclosure policy. 2. User authenticates to the trusted IdP & get a cryptographic “time“ token. 3. SP1 receives the “time“ token & requests an environmental “purpose“ token.  SP1 combines the “time“ token with the “purpose” token to decrypt user data.  Decryption works if the “time” and the “purpose” token satisfy the disclosure policy. 4. SP1 may forward the “time” token to a partner service (e.g., SP2 in Amazon).
4. implemtation disclosure policy example 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 8 User data is disclosed if it is used: • To complete a current transaction. • For the purposes of “purchase” and “delivery”. • For all Cloud services hosted by “Salesforce” in “EU”. • In a limited time. Encrypt with pub key of Telekom Encrypt with pub key of Salesforce
4. implemtation time token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 9 Time token bind to transaction id bind to user id
4. implemtation purpose token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 10 Purpose token bind to transaction id bind to user id • If token combination satisfies disclosure policy  Decryption works. • Tokens of different user id and transaction id  decryption fails  prevent collusion attack.
5. results 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 11 Evaluation: • Performance is fast (token generation 300ms, decryption 20ms)  See paper. Solved: • Insider attack (user data is encrypted in visitor domains). • Malicious hosting, honest-but-curious IdP (tamper codes  cryptographic computation fails). Usability: • Cryptographic computation is the authorisation itself.  Our mechanism is used where no authorisation server needed. • Purpose-aware access control (vs. traditional access control like RBAC) is suitable for sharing sensitive user information in a large distributed and heterogeneous environment.  Internet of things.

Empfohlen

Week13presentation
Week13presentationWeek13presentation
Week13presentations1160163
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Gdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesGdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesSteven Meister
 
Secure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior
 
New generation of Internet Cyber Security
New generation of Internet Cyber SecurityNew generation of Internet Cyber Security
New generation of Internet Cyber SecurityChristian Sauer
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET Journal
 

Empfohlen

Week13presentation
Week13presentationWeek13presentation
Week13presentations1160163
 
Privacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationPrivacy preserving computing and secure multi party computation
Privacy preserving computing and secure multi party computationUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Gdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesGdpr questions for compliance difficulties
Gdpr questions for compliance difficultiesSteven Meister
 
Secure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior
 
New generation of Internet Cyber Security
New generation of Internet Cyber SecurityNew generation of Internet Cyber Security
New generation of Internet Cyber SecurityChristian Sauer
 
Eight principles of consumer data privacy
Eight principles of consumer data privacyEight principles of consumer data privacy
Eight principles of consumer data privacySolix Technologies, Inc
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET Journal
 
Cyber Security
Cyber Security Cyber Security
Cyber Security Gururaj H L
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd Iaetsd
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET Journal
 
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018Codemotion
 
Leveraging the Power of Image Tokens
Leveraging the Power of Image TokensLeveraging the Power of Image Tokens
Leveraging the Power of Image TokensHughes Systique Corporation
 
GDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreGDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreSeclore
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Testkhant14
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsInternational Institute of Communications
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce securitypolitegcuf
 
Seclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Titas Ahmed
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerceNishant Pahad
 
Customer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreCustomer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreSeclore
 
IQProtector Suite
IQProtector SuiteIQProtector Suite
IQProtector SuiteSecure Islands - Data Security Policy
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commercenikitaTahilyani1
 
Dw communication
Dw communicationDw communication
Dw communicationArjun Chetry
 
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldGARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldSri Chilukuri
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Seclore
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...Editor IJMTER
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security
Cyber Security Cyber Security
Cyber Security Gururaj H L
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd Iaetsd
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET Journal
 
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018Codemotion
 
GDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreGDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreSeclore
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Testkhant14
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce securitypolitegcuf
 
Seclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Titas Ahmed
 
E commerce security
E commerce securityE commerce security
E commerce securityShakti Singh
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerceNishant Pahad
 
Customer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreCustomer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreSeclore
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commercenikitaTahilyani1
 
Dw communication
Dw communicationDw communication
Dw communicationArjun Chetry
 
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldGARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldSri Chilukuri
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Seclore
 

Was ist angesagt? (20)

Cyber Security
Cyber Security Cyber Security
Cyber Security
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
 
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
 
Leveraging the Power of Image Tokens
Leveraging the Power of Image TokensLeveraging the Power of Image Tokens
Leveraging the Power of Image Tokens
 
GDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreGDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | Seclore
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Test
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of Things
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
 
Seclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore for Forcepoint DLP
Seclore for Forcepoint DLP
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
 
Customer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreCustomer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | Seclore
 
IQProtector Suite
IQProtector SuiteIQProtector Suite
IQProtector Suite
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
 
Dw communication
Dw communicationDw communication
Dw communication
 
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldGARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions
 

Ähnlich wie Privacy-preserving identity management in IDaaS

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...Editor IJMTER
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy Digital Transformation EXPO Event Series
 
Data Security Whitepaper
Data Security WhitepaperData Security Whitepaper
Data Security WhitepaperSample Solutions
 
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...ForgeRock
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprUlf Mattsson
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET Journal
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditOmo Osagiede
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Nimbox presentation
Nimbox presentationNimbox presentation
Nimbox presentationJason Newell
 
Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Hoang Tri Vo
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...OKsystem
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last standGeorge Delikouras
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesUlf Mattsson
 

Ähnlich wie Privacy-preserving identity management in IDaaS (20)

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
 
Data Security Whitepaper
Data Security WhitepaperData Security Whitepaper
Data Security Whitepaper
 
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on Cloud
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Nimbox presentation
Nimbox presentationNimbox presentation
Nimbox presentation
 
Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 

KĂźrzlich hochgeladen

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 

KĂźrzlich hochgeladen (20)

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 

Privacy-preserving identity management in IDaaS

  • 1. Privacy-preserving user identity in Identity-as-a-Service Tri Hoang Vo Deutsche Telekom 21st Innovation in Clouds, Internet and Networks On behalf of Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
  • 2. 1. introduction identity management (IDM) • Personal Identifiable Information (PII) is information of a person (e.g., home address, tax identification number) which makes it possible to identify such individual. • Application requires PII to:  Authorise a user request (Attribute-based Access Control).  Complete a business transaction. • PII may be stored in a central Identity Provider (IdP) for multiple applications to use.  Advantages: SSO, less management cost for each application. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 2
  • 3. 1. introduction Federated Identity management Use case: • Employees of Telekom use Cloud services hosted by Salesforce. Solution: • Employees authenticate at Telekom IdP & access Cloud services at Salesforce. • We may transfer PII from Telekom (trusted domain) to Salesforce (visitor domain). Problem: • How to control Cloud services to access user data? • How to prevent honest-but-curious, malware, and malicious IdP? • How to prevent Salesforce operators to access user data (insider attack)? 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 3
  • 4. 2. Related work OAUTH? • Service Provider (SP) redirects user to an authorisation server & ask for user permission (yes/no). • Limitations:  No fined grained access control.  Requires user interaction over frontend service  hidden chain of services not support.  Relies on an authorisation server  honest-but-curious, insider attack. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 4
  • 5. 2. Related work Anonymous credentials 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 5 • User performs Zero-knowledge Proof to an SP. • Implementations: • Idemix (IBM), U-Prove (Microsoft). • ABC4Trust. • Limitations:  User interaction over frontend service  Limitation for hidden chain of services.  Works in one domain only  Federated IDM (multiple domains) not support.
  • 6. 3. solution idea: EU Data Protection Directive 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 6 OECD Privacy guidelines: • Data gathered for one purpose cannot be used for another purpose without user consent. • After the purposes (for gathering data) are fulfilled, data must be deleted. EU Data Protection Directive: • PII only be transferred to a third country if that country provides an adequate level of protection.  Disclosure policy based on: purpose, time, and domain (/country).
  • 7. 3. solution purpose-aware attribute-based encryption 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 7 1. A trusted IdP encrypts user data & distribute it to federated IDM (e.g., Id1, Id2).  User data is encrypted with a disclosure policy. 2. User authenticates to the trusted IdP & get a cryptographic “time“ token. 3. SP1 receives the “time“ token & requests an environmental “purpose“ token.  SP1 combines the “time“ token with the “purpose” token to decrypt user data.  Decryption works if the “time” and the “purpose” token satisfy the disclosure policy. 4. SP1 may forward the “time” token to a partner service (e.g., SP2 in Amazon).
  • 8. 4. implemtation disclosure policy example 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 8 User data is disclosed if it is used: • To complete a current transaction. • For the purposes of “purchase” and “delivery”. • For all Cloud services hosted by “Salesforce” in “EU”. • In a limited time. Encrypt with pub key of Telekom Encrypt with pub key of Salesforce
  • 9. 4. implemtation time token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 9 Time token bind to transaction id bind to user id
  • 10. 4. implemtation purpose token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 10 Purpose token bind to transaction id bind to user id • If token combination satisfies disclosure policy  Decryption works. • Tokens of different user id and transaction id  decryption fails  prevent collusion attack.
  • 11. 5. results 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 11 Evaluation: • Performance is fast (token generation 300ms, decryption 20ms)  See paper. Solved: • Insider attack (user data is encrypted in visitor domains). • Malicious hosting, honest-but-curious IdP (tamper codes  cryptographic computation fails). Usability: • Cryptographic computation is the authorisation itself.  Our mechanism is used where no authorisation server needed. • Purpose-aware access control (vs. traditional access control like RBAC) is suitable for sharing sensitive user information in a large distributed and heterogeneous environment.  Internet of things.