research-article

Secure roaming with identity metasystems

Authors:

Long Nguyen Hoang,

Pekka Laitinen,

N. AsokanAuthors Info & Claims

IDtrust '08: Proceedings of the 7th symposium on Identity and trust on the Internet

Pages 36 - 47

https://doi.org/10.1145/1373290.1373297

Published: 04 March 2008 Publication History

Abstract

The notion of identity metasystem has been introduced as the means to ensure inter-operability among different identity systems while providing a consistent user experience. Current identity metasystems provide limited support for secure roaming: by "roaming" we refer to the ability of a user to use the same set of identities and credentials across different terminals. We argue that in order to support different types of roaming, the identity metasystem client should be structured as a set of distributable components. We describe such distributed client-side software architecture and how that architecture is implemented by adapting Novell's Bandit project. We use our implementation to demonstrate how credentials are stored in a trusted device in the form of a mobile phone but can be used on less trusted terminals in the form of PCs.

References

[1]

Microsoft organization. Microsoft's Vision for an Identity Metasystem. Microsoft Whitepaper, May 2005. http://msdn2.microsoft.com/en-us/library/ms996422.aspx

[2]

David Chappell. Introducing Windows CardSpace. Windows Vista Technical Articles, April 2006 http://msdn2.microsoft.com/en-us/library/aa480189.aspx

[3]

Microsoft Corporation. Identity Selector Interoperability Profile specification and companion guides. January, 2008 http://schemas.xmlsoap.org/ws/2005/05/identity/

[4]

Michael B. Jones. The Identity Metasystem: A User-Centric, Inclusive Web Authentication Solution. W3C Workshop on Transparency and Usability of Web Authentication. New York City, March 2006

[5]

CodeIdol.com. InfoCard Architecture and Security http://codeidol.com/csharp/indigo/InfoCard/InfoCard-Architecture-and-Security/

[6]

Novell corp. Bandit project http://www.bandit-project.org/index.php/Welcome_to_Bandit

[7]

Kim Cameron. The Laws of Identity. Microsoft Whitepaper, May 2005. http://www.identityblog.com/stories/2004/12/09/thelaws.html

[8]

Microsoft organization. Windows Data Protection. Microsoft MSDN, 2001. http://msdn2.microsoft.com/en-us/library/ms995355.aspx

[9]

Higgins Project. Higgins home page http://www.eclipse.org/higgins/

[10]

Bluetooth Special Interest Group. The Official Bluetooth® Technology Info Site http://www.bluetooth.com/bluetooth/

[11]

F. Curbera, S. Parastatidis and J. Schlimmer. Web Services Metadata Exchange. August 2006. http://schemas.xmlsoap.org/ws/2004/09/mex/

[12]

M. Hondo, C. Kaler. Web Services Policy Framework. March 2006. http://schemas.xmlsoap.org/ws/2004/09/policy/

[13]

Massachusetts Institute of Technology. Kerberos: The Network Authentication Protocol http://web.mit.edu/Kerberos/

[14]

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280. April 2002.

[15]

Sun Microsystem. Remote Procedure Call. RFC 1831. August 1995.

[16]

W3C Working Group. Simple Object Access Protocol (SOAP). http://www.w3.org/TR/soap/

[17]

W3C Working Group. Web Services Architecture. February 2004 http://www.w3.org/TR/ws-arch/

[18]

OASIS. WS-Trust Version 1.3. March 2007 http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

[19]

David Recordon, Drummond Reed. OpenID 2.0: a platform for user-centric identity management. Conference on Computer and Communications Security. Proceedings of the second ACM workshop on Digital identity management page 11--16, 2006.

Digital Library

[20]

Microsoft organization. Devices Profile for Web Services February 2006 http://schemas.xmlsoap.org/ws/2006/02/devprof/

[21]

Sun Microsystem. Java 2 Platform, Micro Edition (J2ME). Java ME homepage http://java.sun.com/javame/index.jsp

[22]

kXML A small XML pull parser http://kxml.sourceforge.net/kxml2/

[23]

The Legion of the Bouncy Castle. Bouncy Castle Java cryptography API http://www.bouncycastle.org/java.html

[24]

Information card format http://en.wikipedia.org/wiki/I-Card

[25]

OASIS. SAML Token Profile Version 1.1. February 2006 http://docs.oasis-open.org/wss/oasis-wss-SAMLTokenProfile-1.1

[26]

Symbian Ltd. Symbian OS 2003 http://www.symbian.com

[27]

B. Parno, C. Kuo, and A. Perrig., Phoolproof phishing. In Proceedings of Financial Cryptography and Data Lecture Notes in Computer Science 4107, Springer. Security 2006

[28]

M. Mannan, P. C. van Oorschot, Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In Proceedings of Financial Cryptography and Data Security 2007.

Digital Library

[29]

D. Balfanz, E. Felten, Hand-held computers can be better smart cards. In Proceedings, 8th conference on USENIX Security Symposium - Volume 8, 1999.

Digital Library

[30]

Axel Nennker. The CardSpace dimensions. Published on Ignisvulpis's blog June 2007. http://ignisvulpis.blogspot.com/

Cited By

Leskinen J(2012)Evaluation Criteria for Future Identity ManagementProceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2012.153(801-806)Online publication date: 25-Jun-2012
https://dl.acm.org/doi/10.1109/TrustCom.2012.153
Li PWen JDong JTang F(2011)An approach of authentication base on modified digital identity metasystem in service-oriented architectureProceedings of the 2011 international conference on Web information systems and mining - Volume Part I10.5555/2045561.2045605(304-311)Online publication date: 24-Sep-2011
https://dl.acm.org/doi/10.5555/2045561.2045605
Kirkpatrick MKerr SSandhu RBertino E(2011)Enforcing physically restricted access control for remote dataProceedings of the first ACM conference on Data and application security and privacy10.1145/1943513.1943540(203-212)Online publication date: 21-Feb-2011
https://dl.acm.org/doi/10.1145/1943513.1943540
Show More Cited By

Index Terms

Secure roaming with identity metasystems
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

The Evolution of Online Identity

The author proposes that we must significantly improve how we authenticate ourselves on various computer systems to address growing security and privacy threats. As part of that process, we must adopt an identity metasystem that relies on in-person ...
Universal Identity Management Model Based on Anonymous Credentials
SCC '10: Proceedings of the 2010 IEEE International Conference on Services Computing

The relationship-focused and credential-focused identity management are both user-centric notions in Service-oriented architecture (SOA). For composite services, pure user-centric identity management is inefficient because each sub-service may ...
Privacy preserving identity attribute verification in windows cardspace
DIM '10: Proceedings of the 6th ACM workshop on Digital identity management

There are various identity management systems in place today. The way these share information about entities that interact with them gives rise to various privacy issues. This paper addresses two main such issues in Windows CardSpace, regarding the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IDtrust '08: Proceedings of the 7th symposium on Identity and trust on the Internet

March 2008

149 pages

ISBN:9781605580661

DOI:10.1145/1373290

General Chair:
Ken Klingenstein
Internet2
,
Program Chair:
Kent Seamons
Brigham Young University

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Internet2
The National Institute of Standards and Technology
OASIS IDtrust Member Section
FPKIPA: Federal Public Key Infrastructure Policy Authority

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IDtrust 2008

Sponsor:

FPKIPA

IDtrust 2008: 7th Symposium on Identity and Trust on the Internet

March 4 - 6, 2008

Maryland, Gaithersburg, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
359
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Leskinen J(2012)Evaluation Criteria for Future Identity ManagementProceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2012.153(801-806)Online publication date: 25-Jun-2012
https://dl.acm.org/doi/10.1109/TrustCom.2012.153
Li PWen JDong JTang F(2011)An approach of authentication base on modified digital identity metasystem in service-oriented architectureProceedings of the 2011 international conference on Web information systems and mining - Volume Part I10.5555/2045561.2045605(304-311)Online publication date: 24-Sep-2011
https://dl.acm.org/doi/10.5555/2045561.2045605
Kirkpatrick MKerr SSandhu RBertino E(2011)Enforcing physically restricted access control for remote dataProceedings of the first ACM conference on Data and application security and privacy10.1145/1943513.1943540(203-212)Online publication date: 21-Feb-2011
https://dl.acm.org/doi/10.1145/1943513.1943540
Wen JLi PRen HTang F(2011)Research of Identity Metasystem Based Authentication Mechanism in SOAInformation and Management Engineering10.1007/978-3-642-24022-5_9(56-63)Online publication date: 2011
https://doi.org/10.1007/978-3-642-24022-5_9
Li PWen JDong JTang F(2011)An Approach of Authentication Base on Modified Digital Identity Metasystem in Service-Oriented ArchitectureWeb Information Systems and Mining10.1007/978-3-642-23971-7_38(304-311)Online publication date: 2011
https://doi.org/10.1007/978-3-642-23971-7_38
Dunphy PHeiner AAsokan NCranor L(2010)A closer look at recognition-based graphical passwords on mobile devicesProceedings of the Sixth Symposium on Usable Privacy and Security10.1145/1837110.1837114(1-12)Online publication date: 14-Jul-2010
https://dl.acm.org/doi/10.1145/1837110.1837114
Zhang YChen J(2010)Universal Identity Management Model Based on Anonymous CredentialsProceedings of the 2010 IEEE International Conference on Services Computing10.1109/SCC.2010.46(305-312)Online publication date: 5-Jul-2010
https://dl.acm.org/doi/10.1109/SCC.2010.46
Kirkpatrick MBertino EXu SAsokan NNita-Rotaru CSeifert J(2009)Physically restricted authentication with trusted hardwareProceedings of the 2009 ACM workshop on Scalable trusted computing10.1145/1655108.1655118(55-60)Online publication date: 13-Nov-2009
https://dl.acm.org/doi/10.1145/1655108.1655118
Kirkpatrick MBertino E(2009)Context-Dependent Authentication and Access ControliNetSec 2009 – Open Research Problems in Network Security10.1007/978-3-642-05437-2_6(63-75)Online publication date: 2009
https://doi.org/10.1007/978-3-642-05437-2_6

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten