Identity Management

The inclusion of identity management in the cloud computing landscape represents a new business opportunity for providing what has been called Identity Management as a Service (IDaaS). Nevertheless, IDaaS introduces the same kind of problems regarding privacy and data confidentiality as other cloud services; on top of that, the nature of the outsourced information (users’ identity) is critical. Traditionally, cloud services (including IDaaS) rely only on SLAs and security policies to protect the data, but these measures have proven insufficient in some cases; recent research has employed advanced cryptographic mechanisms as an additional safeguard. Apart from this, there are several identity management schemes that could be used for realizing IDaaS systems in the cloud; among them, OpenID has gained crescent popularity because of its open and decentralized nature, which makes it a prime candidate for this task. In this paper we demonstrate how a privacy-preserving IDaaS system can be implemented using OpenID Attribute Exchange and a proxy re-encryption scheme. Our prototype enables an identity provider to serve attributes to other parties without being able to read their values. This proposal constitutes a novel contribution to both privacy and identity management fields. Finally, we discuss the performance and economical viability of our proposal.

The advent of cloud computing has provided the opportunity to externalize the identity management processes, shaping what has been called Identity Management as a Service (IDaaS). However, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. As part of this PhD thesis, we analyze these concerns and propose BlindIdM, a model for privacy-preserving IDaaS with a focus on data privacy protection through the use of proxy re-encryption.

The paper describes the experience with integration of automatic cyber identity technology with policy controlled virtualisation environment. One identity technology has been used to enable strong authentication of users (human beings) as well as machines (host systems) to the virtualization management system. The real experimental evaluation has been done in PASSIVE project (Policy-Assessed system-level Security of Sensitive Information processing in Virtualised Environments - SEVENTH FRAMEWORK PROGRAMME THEME ICT-2009.1.4 INFORMATION AND COMMUNICATION TECHNOLOGIES - Small or medium-scale focused research project - Grant agreement no.: 257644).

Intercloud notion is gaining a lot of attention lately from both enterprise and academia, not only because of its benefits and expected results but also due to the challenges that it introduces regarding interoperability and standardisation. Identity management services are one of the main candidates to be outsourced into the Intercloud, since they are one of the most common services needed by companies and organisations. This paper addresses emerging identity management challenges that arise in intercloud formations, such as naming, identification, interoperability, identity life cycle management and single sign-on.

Continuous authentication is mainly associated with the use of biometrics to guarantee that a resource is being accessed by the same user throughout the usage period. Wireless devices can also serve as a supporting technology for continuous authentication or even as a complete alternative to biometrics when accessing proximity-based services. In this paper we present the implementation of a secure, non-invasive continuous authentication scheme supported by the use of Wearable Wireless Devices (WWD), which allow users to gain access to proximity-based services while preserving their privacy. Additionally we devise an improved scheme that circumvents some of the limitations of our implementation.

Logic languages establish a formal framework to solve authorization and delegation conflicts. However, we consider that a visual representation is necessary since graphs are more expressive and understandable than logic languages. In this paper, and after overviewing previous works using logic languages, we present a proposal for graph representation of authorization and delegation statements. Our proposal is based on Varadharajan et al. solution, though improve several elements of that work. We also discuss about the possible implementation of our proposal using attribute certificates.

This paper focus on two security services for internet applications:authorization and anonymity. Traditional authorization solutionsare not very helpful for many of the Internet applications; however,attribute certificates proposed by ITU-T seems to be well suited andprovide adequate solution. On the other hand, special attention is paidto the fact that many of the operations and transactions that are part ofInternet applications can be easily recorded and collected. Consequently,anonymity has become a desirable feature to be added in many cases. Inthis work we propose a solution to enhance the X.509 attribute certificatein such a way that it becomes a conditionally anonymous attributecertificate. Moreover, we present a protocol to obtain such certificatesin a way that respects users’ anonymity by using a fair blind signaturescheme. We also show how to use such certificates and describe a fewcases where problems could arise, identifying some open problems.

This paper presents a model for delegation based on partial orders, proposing the subclass relation in OWL as a way to represent the partial orders. Delegation and authorization decisions are made based on the context. In order to interact with the context, we define the Type of a credential as a way to introduce extra information regarding context constraints. When reasoning about delegation and authorization relationships, our model benefits from partial orders, defining them over entities, attributes and the credential type. Using these partial orders, the number of credentials required is reduced. It also classifies the possible criteria for making authorization decisions based on the context, in relation to the necessary information.

When delegation is implemented using the attribute certificates in a Privilege Management Infrastructure (PMI), this one reaches a considerable level of distributed functionality. However, the approach is not flexible enough for the requirements of ubiquitous environments. Additionally, the PMI can become a too complex solution for devices such as smartphones and PDAs, where resources are limited. In this work, we solve the previous limitations by defining a second class of attributes, called domain attributes, which are managed directly by users and are not right under the scope of the PMI, thus providing a light solution for constrained devices. The two classes of attributes are related by defining a simple ontology. We also introduce in the paper the concept of Attribute Federation which is responsible for supporting domain attributes and the corresponding ontology.

En la actualidad, cada vez son más frecuentes los ataques software mediante la utilización de malware o sustitución de programas (o componentes) en los repositorios a los cuales los usuarios finales (o máquinas) acceden. Esta situación se ve de alguna manera acentuada con el dinamismo existente en la programación y ejecución de estos componentes, en la que distintos desarrolladores pueden participar para desplegar un determinado servicio o parte de él. Por ello, en este artículo se presenta una solución para la distribución de código de forma segura usando OpenID y firmas con certificados de clave pública de corta duración. De esta forma, se consigue un compromiso de seguridad que permite distribuir código firmado sin la necesidad de que los desarrolladores dispongan a priori de un certificado específico. Presentamos además algunos detalles acerca de la implementación realizada para hacer realidad este diseño.