BlindIdM: A privacy-preserving approach for identity management as a service | International Journal of Information Security Skip to main content
Springer Nature Link
Log in

BlindIdM: A privacy-preserving approach for identity management as a service

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Identity management is an almost indispensable component of today’s organizations and companies, as it plays a key role in authentication and access control; however, at the same time, it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, together with the promise of flexible, cheap and efficient provision of services, has provided the opportunity to externalize such a common process, shaping what has been called Identity Management as a Service (IDaaS). Nevertheless, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. In this paper, we analyze these concerns and propose BlindIdM, a model for privacy-preserving IDaaS with a focus on data privacy protection. In particular, we describe how a SAML-based system can be augmented to employ proxy re-encryption techniques for achieving data confidentiality with respect to the cloud provider, while preserving the ability to supply the identity service. This is an innovative contribution to both the privacy and identity management landscapes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. The term blind is used here in an analogous way as in blind signature, which is a signature scheme that enables the signer to perform a signature without knowing the content of the underlying message.

  2. Note that HIPAA is focused on the health care sector.

References

  1. Hermans, J., Chung, M.: KPMG’s 2010 Cloud Computing Survey. Technical report, KPMG (2010)

  2. Security guidance for critical areas of focus in cloud computing, version 3.0. Technical report, Cloud Security Alliance (2011)

  3. Cisco global cloud networking survey. Technical report, Cisco (2012)

  4. Heiser, J., Nicolett, M.: Assessing the Security Risks of Cloud Computing. Gartner Inc., Technical report (2008)

  5. Top threats to cloud computing, version 1.0. Technical report, Cloud Security Alliance, 2010

  6. The Notorious Nine: Cloud Computing Top Threats in 2013. Technical report, Cloud Security Alliance (2013)

  7. Casassa Mont, M., Pearson, S., Bramhall, P.: Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. In Proceedings of the 14th International Workshop on Database and Expert Systems Applications, pp. 377–382. IEEE (2003)

  8. Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)

    Article  Google Scholar 

  9. Hussain, M.: The Design and Applications of a Privacy-Preserving Identity and Trust-Management System. PhD thesis, School of Computing, Queen’s University, (2010)

  10. OASIS Security Services TC: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)

  11. Shibboleth Consortium. Shibboleth. http://shibboleth.net/

  12. OASIS Web Services Federation TC. Web Services Federation Language (WS-Federation) Version 1.2 (2009)

  13. OASIS Security Services TC: Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0, (2005)

  14. Maler, E., Reed, D.: The venn of identity: options and issues in federated identity management. IEEE Secur. Priv. 6(2), 16–23 (2008)

    Article  Google Scholar 

  15. Microsoft. Windows Azure Active Directory. http://www.windowsazure.com/en-us/home/features/identity/

  16. CA Technologies. CA CloudMinder Identity Management. http://www.ca.com/us/cloudminder-identity-management

  17. Pearson, S., Benameur, A.: Privacy, security and trust issues arising from cloud computing. In: 2nd IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 693–702. IEEE (2010)

  18. Clauß, S., Köhntopp, M.: Identity management and its support of multilateral security. Computer Networks 37(2), 205–219 (2001)

    Article  Google Scholar 

  19. De Capitani di Vimercati, S., Foresti, S., Samarati, P.: Managing and accessing data in the cloud: privacy risks and approaches. In: Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on, pp. 1–9. IEEE (2012)

  20. E.U. Comission. Council Directive 95/46/EC: On the protection of individuals with regard to the processing of personal data and on the free movement of such data, (1995)

  21. Shane, S., Burns, J.F.: U.S. Subpoenas Twitter Over WikiLeaks Supporters. The New York Times, January 8 (2011)

  22. U.S. Congress. Uniting and strengthening america by providing appropriate tools required to intercept and obstruct terrorism act (2001)

  23. U.S. Congress. Health insurance portability and accountability act (1996)

  24. Hon, W.K., Millard, C., Walden, I.: The problem of ‘personal data’ in cloud computing: what information is regulated? The cloud of unknowing. Int. Data Priv. Law 1(4), 211–228 (2011)

    Article  Google Scholar 

  25. Fowler, G.A., Barrett, D., Schechner, S.: U.S. shuts offshore file-share ‘locker’. The Wall Street Journal, January 20 (2012)

  26. Certivox. PrivateSky. http://privatesky.me/

  27. CipherCloud. CipherCloud Gateway. http://www.ciphercloud.com/

  28. Y. Chen and R. Sion. On securing untrusted clouds with cryptography. In Proceedings of the 9th annual ACM workshop on Privacy in the electronic society, pages 109–114. ACM, 2010

  29. Gritzalis, Stefanos: Enhancing web privacy and anonymity in the digital era. Inf. Manag. Comput. Secur. 12(3), 255–287 (2004)

    Article  Google Scholar 

  30. Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: Proceedings of the 9th ACM Conference on Computer and Communications security, pp. 21–30. ACM (2002)

  31. OASIS Security Services TC: Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)

  32. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, pp. 29–44 (2005)

  33. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Advances in Cryptology—EUROCRYPT’98, pp. 127–144 (1998)

  34. Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Applied Cryptography and Network Security, pp. 288–306. Springer (2007)

  35. Chu, C.K., Tzeng, W.G.: Identity-based proxy re-encryption without random oracles. In: Information Security, pp. 189–202 (2007)

  36. Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM conference on Computer and communications security, pp. 185–194. ACM (2007)

  37. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Trans. Inf. Theory 57(3), 1786–1802 (2011)

    Article  MathSciNet  Google Scholar 

  38. Ateniese, G., Benson, K., Hohenberger, S.: Key-private proxy re-encryption. In: Topics in Cryptology-CT-RSA 2009, pp. 279–294 (2009)

  39. W3C. XML Encryption Syntax and Processing Version 1.0. W3C Recommendation, W3C (2002). http://www.w3.org/TR/xmlenc-core/

  40. OASIS Security Services TC: Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)

  41. Nuñez, D., Agudo, I., Lopez, J.: Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services. In: Cloud Computing Technology and Science (CloudCom), 2012 IEEE 4th International Conference on, pp. 241–248. IEEE (2012)

  42. Shirey, R.: Internet Security Glossary, Version 2. RFC 4949 (Informational), August (2007)

  43. Angin, P., Bhargava, B., Ranchal, R., Singh, N., Othmane, L.B., Lilien, L., Linderman, M.: An entity-centric approach for privacy and identity management in cloud computing. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 177–183 (2010)

  44. Ardagna, C.A., Camenisch, J., Kohlweiss, M., Leenes, R., Neven, G., Priem, B., Samarati, P., Sommer, D., Verdicchio, M.: Exploiting cryptography for privacy-enhanced access control: A result of the PRIME project. J. Comput. Secur. 18(1), 123–160 (2010)

    Google Scholar 

  45. Dey, A., Weis, S.: PseudoID: Enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies, pp. 95–107 (2010)

  46. Chow, S., He, Y.J., Hui, L., and Yiu, S.: SPICE-simple privacy-preserving identity-management for cloud environment. In: Applied Cryptography and Network Security, pp. 526–543. Springer (2012)

  47. Bertino, E., Paci, F., Ferrini, R., Shang, N.: Privacy-preserving digital identity management for cloud computing. Bull. IEEE Comput. Soc. Tech. Committ. Data Eng. 32(1), 21–27 (2009)

    Google Scholar 

  48. Agudo, I., Nuñez, D., Giammatteo, G., Rizomiliotis, P., Lambrinoudakis, C.: Cryptography goes to the cloud. In: Secure and Trust Computing, Data Management, and Applications, pp. 190–197. Springer (2011)

  49. Kamara, S., Lauter, K.: Cryptographic cloud storage, pp. 136–149. Financial Cryptography and Data, Security (2010)

  50. System for cross-domain identity management. http://www.simplecloud.info/

Download references

Acknowledgments

This work was partly supported by the projects FISICCO (P11-TIC-07223) and ARES (CSD2007-00004). The first author has been funded by a FPI fellowship from the Junta de Andalucia through the project PISCIS (P10-TIC-06334).

Author information

Authors and Affiliations

  1. Network, Information and Computer Security Laboratory, Universidad de Málaga, Málaga, Spain

    David Nuñez & Isaac Agudo

Authors
  1. David Nuñez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isaac Agudo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Nuñez.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Nuñez, D., Agudo, I. BlindIdM: A privacy-preserving approach for identity management as a service. Int. J. Inf. Secur. 13, 199–215 (2014). https://doi.org/10.1007/s10207-014-0230-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0230-4

Keywords

Search

Navigation