Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity
Our attacker model takes two types of attackers into account: outsiders of the user’s communication relationships and his communication partners. Attackers aim to trace and later to impersonate the user. We assume that an attacker cannot break cryptographic primitives and does not control the communication network.
Outsiders try to trace the user by observing his communication relationships. They also try to intercept a delegated credential in order to get information about the user by the content of this credential. Communication partners, as attackers, get personal data by means of credentials from the user within a delegation. Besides tracing a user, an untrustworthy delegatee aims to impersonate him. He tries to use a delegated credential for his own purposes. We identify the following privacy threats with a delegation of credentials:
Identifying a user: Credentials express the property of personal data. If a credential contains personal data, its user can be identified when showing it.
Tracing a user: Credentials are bound to a cryptographic key or a user identifier. This association is proven by showing a credential. A service provider to whom a credential has been shown or delegated is able to trace a user and link his transactions by this association.
Impersonation of a user contrary to the purpose of a delegation: The process of delegation binds the particular credential to a delegatee. This delegatee is now able to use this credential for the delegation purpose but also for his own purposes, e.g. to get access to services and to get credentials linked to the own identity.
Re-delegation of a credential: A delegatee shares a delegated credential of a user with other service providers. It is then possible that everyone is able to impersonate the user.
These threats show that privacy with delegation of rights results in a combination of threats concerning identification and profiling with threats concerning unauthorised access on delegated credentials.
Privacy Criteria for Delegation of Rights
Since attacks from outsiders can be prevented by anonymity mechanisms, e.g. mix networks (Chaum, D., 1981), and cryptography (Anderson, R., 2001), we focus on attacks by untrustworthy service providers. An essential requirement for security in distributed systems is that each participant is able to specify its own security interests and that these interests are guaranteed by the system (Rannenberg, K., Pfitzmann, A. and Müller, G., 1999). Therefore, we divide the criteria for a privacy-preserving delegation mechanism into two classes: The first class considers the interests of a user concerning observability and misuse of delegated credentials. The second class considers accountability of a user from the perspective of service providers. Our criteria also take the data protection directives 95/46/EC (European Commission, 1995) and 2002/58/EC (European Commission, 2002) of the European Commission into account.
In order to fulfil the interests of a user, a privacy-preserving delegation mechanism must fulfil the following criteria:
Authentication without revealing identifying data: The statement of a credential, as well as its association with a user should be shown without revealing any identifying data to the service provider. A delegation should delegate the statement of the credential and not the identifying data.
Non-linkability of transactions: Credentials should be shown and delegated with different pseudonyms of a user so that the corresponding transactions cannot be linked together.
Least privilege: Service providers may request more rights that are necessary for the purpose of this collection. A user must be able to control the disclosure of his credentials so that only credentials relating to the purpose of a delegation are given to a service provider.
Preventing misuse of delegated credentials: The use of a delegated credential should be bound to the purpose of the delegation. We define the purpose by the delegatee, the services or their type to which the delegatee is allowed to show the credential, the validity of a delegated credential, the allowed number of usage, and whether a recipient is allowed to re-delegate a credential. The appropriate use of a delegated credential should be guaranteed and verifiable.
Restricting re-delegation of a credential: A re-delegated credential should only be valid if the user has given his consent to the re-delegation. This should be verifiable.
Revocation of a credential: A user must be able to revoke a delegated credential, if the delegation purpose has finished earlier than expected, the certified statement is no longer valid, or the delegatee has been shaped up as an attacker.
The security interests of service providers relate to accountability of their users. A privacy-preserving delegation mechanism guarantees these interests, if it fulfils the following criteria:
Non-repudiation of using a credential: The use of a credential should be unambiguously assigned to the one who has shown this credential. It should be possible for the end service provider to assign the use of a credential to its user. Since this user can be the delegatee or the owner of a credential, it should be verifiable whether a delegatee or a user has used this credential.
Revealing of identity: The identity of a criminal user should be revealed in exceptional cases such as fraud. It should be verifiable for everyone that an exceptional case has occurred.
In the following, we investigate credential-based identity management systems with respect to these criteria.
Denis Royer | 44 / 58 |