D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity

Title: DELEGATION OF RIGHTS BY IDENTITY MANAGEMENT

Delegation of Rights by Identity Management

In distributed information systems, delegation of rights is the process whereby a user authorises a service to access remote resources on his behalf (Gasser, McDermott, 1990). In supply chain management, companies produce services with other companies so that they even delegate the execution of parts of their business processes to external service providers. Delegation is also used in heterogeneous environments where some devices, e.g. mobile devices, are not able to perform computationally expensive operations and so delegate them to devices with more resources, e.g. as it is the case in Grid computing (Foster, Kesselman, 1999).  

A delegation of rights is a delegation of credentials (Gasser, McDermott, 1990; Lampson, et al, 1992; Neuman, 1993). A credential is an authorisation and binds attributes, e.g. access rights a on an object o, to a user s. Credentials are protected against forgery by cryptography. Service providers allocate access rights on his services by verifying whether a credential belongs to the requesting user (Blaze, M., Feigenbaum, J. and Lacy, J., 1996). If a credential is delegated, the attributes will be linked to this recipient (Gasser, M. and McDermott, E., 1990; Neuman, B.C, 1993; Aura, T., 1999; Welch, V., Foster, I., Kesselman, C. et al., 2004). We call such a recipient a delegatee. When a service provider receives an access request with a delegated credential, the service provider will check this credential by verifying a chain of credentials from the requesting delegatee to the issuer of this credential, usually a certification authority (CA).

While sharing credentials of type X.509 (Welch, V., Foster, I., Kesselman, C. et al., 2004), SPKI (Ellison, C., Frantz, B., Lampson, B. et al, 1999), and Kerberos (Kohl, J. and Neuman, C., 1993) with others, privacy concerns arise. Verification of these credentials traces back to the user in a chain of credentials and so his transactions become linkable. Additionally, the user will lose control of the use of his delegated credentials so that delegatees are later able to impersonate him. Credential-based identity management systems allow users to be unobservable by controlling the disclosure of personal data. This is done either by using trusted identity providers hiding the identity of a user (Erdos, M. and Cantor, S., 2002; Liberty Alliance Project, 2005) or by using anonymous credentials (Brands, S., 2000; Camenisch, J. and Lysyanskaya, A., 2001). All credentials and pseudonyms of a user are based on a secret. This secret is either his password with an identity provider or a secret cryptographic key. Showing a credential is done by proving that this user knows this secret. If a user delegates one of his credentials, he must also delegate his secret. By delegating all of his credentials and pseudonyms he reveals his identity. A delegatee is now able to link the transactions of the user, e.g. by revoking the anonymity of this user or gaining access to the profile of a user at an identity provider. He is also able to use these credential for any purpose. A delegation of credentials would not violate the user’s privacy, if he trusts this delegatee. In our opinion, this trust model is not generally suitable. The challenge is to ensure privacy when delegating personal data as credentials to delegatees, which cannot be foreseen as being trustworthy.

Given below is an investigation into privacy threats when delegating personal attributes as credentials to others. This results in privacy criteria for adequate security mechanisms.

In chapter , we identify privacy threats while sharing capabilities with untrustworthy service providers and derive security criteria for a privacy-preserving delegation mechanism. In chapter , we evaluate credential-based identity management systems as a privacy-enhancing technology for authentication according to these privacy criteria. Finally, in chapter we conclude with out findings and give an outlook on ongoing work.

Privacy and Delegation of Rights

Relating to a flow of personal information, privacy is the ability of a person to control the availability of information about and exposure of him- or herself as defined in the FIDIS Wiki. According to this definition, a person should be able to control the disclosure of his personal data. However, it does not take the use of disclosed personal data into account, which is the case when sharing credentials. The judgement of the German Federal Constitutional Court relating to the census in Germany in 1983 extends Westin’s definition and takes up the use of disclosed personal data (German Federal Constitutional Court, 1983). This judgement also considers the processing of personal data. It means that every person has the right to decide about the disclosure and use of personal data. Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual (German Government, 2001). It defines informational self-determination as the right of every person to decide on the disclosure and use of personal data. This right is only restricted in exceptional cases.

Based on this judgement, the following attacker model identifies privacy threats of sharing credentials with delegatees which do not seem to be trustworthy in advance. We derive criteria for privacy-preserving authentication and delegation mechanisms.