You are here: Resources > FIDIS Deliverables > HighTechID > D3.3: Study on Mobile Identity Management > 

D3.3: Study on Mobile Identity Management

Anonymity in self-organising Networks – Difficulties and Concepts  Study on Mobile Identity Management
 AXS ID-Card


iManager – Identity Manager for Partial Identities of Mobile Users

An identity manager called iManager for mobile users is developed at the University of Freiburg, Germany. iManager enables a mobile user to communicate securely, to manage his partial identities and consequently to protects his privacy. It fulfils the requirements I.a, I.b, II.b, III.b, IV, V, IX.c and IX.d of section 2.1. This identity manager is a client side identity manager, which means that the partial identities are managed solely by the user and not by a third party. The identity manager is part of the mobile device of the user which is considered to be trustworthy. The use of iManager is described by an exemplary scenario: buying and inspection an electronic railway ticket (Gerd tom Markotten, Wohlgemuth and Müller, 2003). In this scenario, the iManager has interfaces in order to use the applications of the mobile devices: electronic ticket application, a digital wallet and a web browser. The following section describes the architecture of iManager applied to this scenario.

Architecture of the

The iManager is the central security tool of a mobile device. It offers interfaces to the user, to the security mechanisms and to the applications of a mobile device. The access to personal data and to cryptographic keys is exclusively possible by using the identity manager. An application’s request to these data will be checked by the identity manager to see whether the user has given consent to the publication of this personal data. The architecture of the iManager and its interfaces is shown in the figure 5-5. Based on a security platform with the necessary security mechanisms in order to protect the communication, the personal data and the privacy of the user, the components identity configuration, identity negotiation and confirmation of action are responsible for managing partial identities (Jendricke and Gerd tom
Markotten, 2001).



Figure 5-5: Architecture of the iManager


The user interface has to be comprehensible for security laymen, since they are not able to verify and assess the security mechanisms of the iManager and therefore a misuse of them leads to a compromise of the security and privacy of the user. The possibilities of a misuse have to be reduced (Gerd tom Markotten, 2004). The acceptance of the security tool depends on its user interface as well. In order to facilitate the use of a security tool, the protection goals of multilateral security (Rannenberg, Pfitzmann and Müller, 1997) have been classified in user and system controlled protection goals by analysing their interdependency (Jendricke and Gerd tom Markotten, 2000). This leads to a reduction of the user interface’s complexity. The user controlled protection goals anonymity and accountability are configured by partial identities and their choice in a situation. The integration of the iManager in the user interface of the mobile device is shown in the figure 5-6. At any time, the user is able to check his identity.


Figure 5-6: Integration of the iManager in the user interface of the mobile device


The identity configuration enables a user to choose and create a partial identity with respect to the current situation. A situation is defined by a communication partner, the current service and the current partial identity (Jendricke, Kreutzer and Zugenmaier, 2002). Since the anonymity level cannot increase subsequently (Wolf and Pfitzmann, 2000), any partial identity can not be chosen. If the user wants to change the current partial identity, the iManager checks if the desired anonymity level could be reached with the intended change. This component is realised functionality to edit partial identities and to store them in a secure database on the mobile device and to recognise the current situation. The secure database stores partial identities and user’s security, his privacy policies and rules for the security tools. A filter checks the data flow of the mobile device for personal data. By this means, it is possible to fill a web form according to P3P with respect to a suitable partial identity and user’s permission.

An identity negotiation is necessary, if a service needs more data from the user than he wants to publish in this situation. This conflict can be solved with a negotiation between this service and the user. A restricted automatic negotiation is possible by the implementation of P3P and consequently the comparison from the service’s and user’s security and privacy policy. In case of a conflict, iManager informs the user of this conflict and proposes solutions like a suitable partial identity for solving it. For example, in the scenario where a user wants to buy an electronic railway tickets and wants to get some premium points. For the premium points, the virtual ticket automaton requests some personal data of the user. A conflict occurs since the user acts with his partial identity anonymous. The iManager proposes to use the partial identity traveller for solving this conflict. Figure 5-7 shows this case.


Figure 5-7: Identity negotiation


The user decides his accountability and the accountability of his communication partner for each partial identity. The component confirmation of action realise the accountability of the user by a digital signature tool. It is used whenever a digital signature is required, e.g. for self-signing personal data. Since the user declares explicitly his intent, he signs with his handwritten signature and authorises the digital signature tool to sign the corresponding credential. The digital signature key is chosen by choosing the suitable partial identity. By this means, the technical functions of the key management will be shown in a more comprehensible manner (Gerd tom Markotten, Jendricke and Müller, 2001).

The security platform consists of interfaces to cryptographic primitives, anonymity services, to a session management, a secure database and to security services. Anonymity services are the foundation of identity management, since it enables to user to be anonymous towards his communication partners. The anonymity service JAP (Berthold, Federrath and Köhntopp, 2000) is used for IP networks. For spontaneous networking, a library from the University of Rostock, Germany, (Sedov, Haase, Cap and Timmermann, 2001) is used. The cryptographic primitives for encryption and digital signatures are realised by the library FlexiPKI (Buchmann, Ruppert and Tak, 1999).


The iManager of the University of Freiburg, Germany, shows that it is feasible to realise privacy and security interests of a mobile user depending on the situation by managing and appearing with different partial identities. It is further developed in order to support business processes in which services are acting on behalf of the user towards personalised services. In this kind of business processes, the user has to confidentially delegate some of his authorisations or partial identities to strange service providers while acting under a pseudonym.


Anonymity in self-organising Networks – Difficulties and Concepts  fidis-wp3-del3.3.study_on_mobile_identity_management.final_04.sxw  AXS ID-Card
30 / 36