Related Work

The problem of privacy in identity management is a widely studied subject. How- ever, the data confidentiality aspects of privacy are seldom tackled. In [169], we proposed an early version of our model, a user-centric IDaaS system based in OpenID and proxy re-encryption. An overview of this system is shown in Fig- ure 6.9. It can be seen how the basic information flow of BlindIdM is already present here. Although conceived as a proof of concept, this is, to the best of our knowledge, the first work that achieves blind processing of identity information; however, trust issues arise as OpenID does not provide proper mechanisms for establishing trust. This proposal is useful for user-centric scenarios where service providers can fully trust end-users without the identity provider being able to assert any claim. One interesting aspect of this work is an economic assessment of the viability of the proposal; in rough numbers, they estimate that the cost for 2000 operations (i.e., encryptions, re-encryptions or decryptions) is 1 USD cent. This assessment is very relevant to our proposal, since the cryptographic procedures are very similar, and therefore, the economic assessment is relevant for our case.

In [170], the authors propose a solution based on deploying active bundles in the cloud provider. An active bundle is a mobile agent, in this case a virtual machine, which contains the identity information of the user and that is protected by cryptographic means. Every time an operation involves the use of identity information, the cloud provider interacts with an active bundle to retrieve this information. However, this approach seems to be impractical because of the large overhead that the use of a large container for data (a VM) introduces. Moreover, the proposal does not detail any procedure to transport these active bundles to the cloud in an efficient manner.

OpenID Provider Encrypted attributes Re-encryption OpenID Consumer Decryption User Service Provider Encryption Identity Provider 1. Requests access 2. Asks for authn.

and attributes

3. User authenticates

5. sends authn. result and re-encrypted

attributes 4. Retrieves ciphered

attributes and re- encrypts them

6. Decrypts attributes

Figure 6.9: IDaaS system based in OpenID and proxy re-encryption Another proposal, based on the use of sticky policies and trusted computing, is presented in [149]. This paper presents an interesting approach where informa- tion, together with a specific policy that should be enforced in order to disclose the data, is obfuscated before leaving the users’ domain. In this approach, a trusted authority is in charge of giving the receiver the means to de-obfuscate the information, after verifying that the receiver complies with its associated policy; trusted computing is used to ensure the integrity of both software and hardware environments of the receiver. However, this work focuses on the direct sharing of information, which makes it unusable in an identity management setting, where an identity provider is used as an intermediary and must somehow manage this information.

Much work has been carried out regarding unlinkability of users with respect to the other entities involved in the identity management processes. For example, in [171] the authors present PseudoID, a model for private federated login that achieves unlinkability of users to visited sites. To this end, a blind signature service participates during the generation of an access token that is handed to the identity provider; this access token consists of a pseudonym and a secret value, that are both used to anonymously authenticate the user. Although this work presents an interesting contribution to privacy-enhanced identity providers, it is centered on the unlinkability aspects of the authentication of users. Moreover, this model is not suitable for maintaining users’ information in the identity providers, since the providers are unable to correlate users to their pseudonyms.

With regard to the intersection of identity management, privacy and cloud com- puting, there has also been some research done. In [172], the authors propose

SPICE, an identity management system for cloud environments whose main goal is to preserve users’ privacy. SPICE satisfies a set of properties that the authors claim an identity management system in the cloud should fulfill, such as unlinka- bility and delegatable authentication. In order to accomplish this, SPICE uses a re-randomizable group signature scheme. However, the goal of SPICE is not the same as ours, since we are not tackling unlinkability, but data confidentiality. In [173], a privacy-preserving identity management system for cloud environments is presented; this system is based on zero-knowledge proofs that allow the user to prove the knowledge of a set of attributes without revealing their value. The problem of heterogeneity of attributes representation is also addressed in this work by using ontology mapping techniques. However, the authors do not tackle the privacy issues that are the main concern of our work, since in their setting, identity providers store in clear the values of the attributes of the users.

6.1.5

Summary

We proposed a solution to the problem of privacy, in the sense of data confiden- tiality, for Identity Management as a Service. BlindIdM is a model for Identity Management as a Service that guarantees user’s privacy and control even when data storage and processing is performed by untrusted clouds. Our main contri- bution is the construction of a privacy-preserving IDaaS system, where the cloud identity provider is able to offer an identity information service without knowing the actual personal information of the users. Our system uses SAML 2.0 as the underlying identity management protocol and proxy re-encryption as a means for achieving blind handling of identity information; this way, the cloud provider transforms encrypted attributes by the host organization into ciphertexts for the service provider, without being able to read their content during this process. In addition, we use standard SAML constructions for conveying this information. We believe that this approach opens up new possibilities regarding privacy in the field of identity management.