In this work we tackle the problem of privacy and confidentiality in Identity Management as a Service (IDaaS). The adoption of cloud computing technologies by organizations has fostered the externalization of the identity management processes, shaping the concept of Identity Management as a Service. However, as it has happened to other cloud-based services, the cloud poses serious risks to the users, since they lose the control over their data. Here we analyze these concerns and propose a model for privacy-preserving IDaaS, called BlindIdM, which is designed to provide data privacy protection through the use of cryptographic safeguards.
Privacy Preserving Identity Management as a Service
1. Outline Motivation State of the art Results Research Challenges
Privacy-Preserving
Identity Management as a Service
David Nu˜nez
Supervisors: Isaac Agudo, and Javier Lopez
Network, Information and Computer Security Laboratory (NICS Lab)
Universidad de M´alaga, Spain
Email: dnunez@lcc.uma.es
June 4, 2014
2. Outline Motivation State of the art Results Research Challenges
1. Motivation
2. State of the art
3. Results
4. Research Challenges
3. Outline Motivation State of the art Results Research Challenges
Introduction
Identity Management is a ubiquitous service
Costly ⇒ specific applications and personnel
Identity Management as a Service (IDaaS)
Cloud computing solution to this problem
Organizations can outsource their IdM services to the cloud
Cloud providers specialized in Identity Management
New business opportunities to cloud providers
4. Outline Motivation State of the art Results Research Challenges
Scenarios
Service Provider
Host Organization
(Identity Provider)
Employee
belongs to
requests
service
direct trust
retrieves identity
provides identity
information
Figure : Federated Identity Management Scenario
5. Outline Motivation State of the art Results Research Challenges
Scenarios
Cloud Identity Provider Service Provider
Host Organization
Employee
belongs to
requests
service
outsources
identity
management
direct
trust direct
trust
indirect trust
retrieves identity
provides identity
information
Figure : Identity Management as a Service Scenario
6. Outline Motivation State of the art Results Research Challenges
Motivation
Classic problem of cloud computing
⇒ The user loses the control of his data
Now we are talking about identity data...
⇒ Data protection laws and regulations
Current solution: Service Level Agreements (SLAs)
⇒ It is just an agreement not a technical safeguard
Trust problem ⇒ Users are obliged to trust the provider
7. Outline Motivation State of the art Results Research Challenges
Problem statement
Goal: To define technical safeguards that allow an IdM service
without compromising users’ data
This solution must go beyond defining an access control and
enforcement layer
⇒ Cryptographic safeguards
Solution must not interfere with the service provision
Control must go back to the owner of data
8. Outline Motivation State of the art Results Research Challenges
Proposal
BlindIDM – A Model for Privacy-preserving IDaaS
Privacy-preserving IDaaS system
Based in SAML 2.0 and Proxy Re-Encryption
Identity attributes are encrypted by the user and decrypted by
the requester
The Identity Provider (IdP) stores encrypted attributes
⇒ Still capable of offering an identity service
First proposal that tackles this problem
9. Outline Motivation State of the art Results Research Challenges
Cryptographic Cloud Storage
Kamara, S., and Lauter, K. (2010). Cryptographic cloud storage. In
Financial Cryptography and Data Security
10. Outline Motivation State of the art Results Research Challenges
Sticky Policies
Pearson, S., Mont, M. C., Chen, L., and Reed, A. (2011). End-to-end
policy-based encryption and management of data in the cloud. In IEEE
CloudCom 2011
11. Outline Motivation State of the art Results Research Challenges
SAML 2.0
Security Assertion Markup Language
OASIS Standard
Description and exchange of identity information (e.g.,
attributes)
Protocols for issuing and exchanging assertions
12. Outline Motivation State of the art Results Research Challenges
Proxy Re-Encryption: Overview
A PRE scheme is a public-key encryption scheme that permits a
proxy to transform ciphertexts under Alice’s public key into
ciphertexts under Bob’s public key.
The proxy needs a re-encryption key rA→B to make this
transformation possible.
Figure : Proxy Re-Encryption flow
13. Outline Motivation State of the art Results Research Challenges
Proxy Re-Encryption: AFGH scheme
Global parameters:
G1, G2 are groups of prime order q
e : G1 × G1 → G2 is a bilinear pairing
g ∈ G1, Z = e(g, g) ∈ G2
Primitives:
Key Generation: KG() = (sA, pA)
Re-Encryption Key Generation: RKG(sA, pB) = rA→B
First-level Encryption: E1(m, pA) = c1
Second-level Encryption: E2(m, pA) = c2
Re-Encryption: R(c2, rA→B) = c1
First-level Decryption: D1(c1, sA) = m
Second-level Decryption: D2(c2, sA) = m
14. Outline Motivation State of the art Results Research Challenges
Proxy Re-Encryption: AFGH scheme
Properties:
Unidirectional
Unihop
Collusion-resistant
15. Outline Motivation State of the art Results Research Challenges
BlindIDM – Privacy-preserving IDaaS
Cloud Identity Provider Service Provider
Host Organization
Employee
belongs to
requests
service
outsources
identity
management
direct
trust direct
trust
indirect trust
retrieves identity
provides identity
information
Figure : Identity Management as a Service Scenario
16. Outline Motivation State of the art Results Research Challenges
BlindIDM – Privacy-preserving IDaaS
Cloud Identity
Provider
Service
Provider
Host
Organization
rH→SP(pH, sH) (pSP , sSP )
ca c
a
Figure : Information flow within our system
17. Outline Motivation State of the art Results Research Challenges
Assumptions
Honest-but-curious provider: The cloud provider will respect
protocol fulfillment, but will try to read users’ data
Existing trust relationship between users and requesters
⇒ Expressed using SAML Metadata
18. Outline Motivation State of the art Results Research Challenges
Integration with SAML
User agent Service Provider Cloud Identity Provider Host Organization
Request service
Discovery of the IdP
SAML AuthnRequest
AuthnRequest (User redirection)
SAML AuthnRequest
AuthnRequest (User redirection)
User authentication SAML
Response
Response (User redirection)
Re-encryption of user attributes and
creation of SAML Response
Response (User redirection)
Decryption of user attributes and
verification of SAML Response
Access to service
Figure : Modified SAML Authentication sequence
19. Outline Motivation State of the art Results Research Challenges
Implementation details
We have implemented:
Prototype implementation using OpenSAML library
AFGH Proxy Re-Encryption scheme using Java Pairing-Based
Cryptography library (jPBC)1
1
A. D. Caro, http://gas.dia.unisa.it/projects/jpbc
20. Outline Motivation State of the art Results Research Challenges
Economic analysis
Most of proposals do not analyze their economic impact
Cryptographic operations have an economic cost due to
computation, communication, etc.
⇒ Cloud provider incurs in expenses due to energy
consumption, personnel, ...
Our estimations are based on a research from Chen Sion2
⇒ They give estimations for computation, storage and
communication costs, expressed in picocents (1 picocent
= 10E−12 USD cent)
We estimate the number of CPU cycles to give an
approximation of the costs
2
Y. Chen and R. Sion, “On securing untrusted clouds with cryptography” in
Proc. 9th annual ACM workshop on Privacy in the electronic society
21. Outline Motivation State of the art Results Research Challenges
Economic analysis: costs
Table : Costs in picocents for the main operations
Operation Cost per operation Operations per cent
Encryption 4.34E+08 2304
Re-encryption 4.79E+08 2087
Decryption 5.70E+08 1755
22. Outline Motivation State of the art Results Research Challenges
Economic analysis: example scenario
IDaaS provider that handles 1 million attribute requests per
day ⇒ 1 million re-encryptions per day
Approx. 2000 USD per year
Reasonable cost for an average-sized company, considering
that their information is encrypted at the cloud provider
23. Outline Motivation State of the art Results Research Challenges
Results
IDaaS is a promising paradigm for organizations
Cloud providers are in a privileged position to gain information
about their users
We need technical safeguards, such as those based in
cryptography, to ensure users’ privacy
24. Outline Motivation State of the art Results Research Challenges
Results
We describe an IDaaS system that handles encrypted
attributes and still provides an identity service
Our system is based in SAML and Proxy Re-Encryption
The cloud identity provider transforms encrypted attributes
from the original users to ciphertexts for the requesters using
re-encryption
Implementation and economic analysis is provided
25. Outline Motivation State of the art Results Research Challenges
Publications
D. Nu˜nez, and I. Agudo, “BlindIdM: A Privacy-Preserving
Approach for Identity Management as a Service”, In
International Journal of Information Security, vol. 13, issue 2,
Springer, pp. 199-215, 2014.
D. Nu˜nez, I. Agudo, and J. Lopez, “Integrating OpenID with
Proxy Re-Encryption to enhance privacy in cloud-based
identity services”, In IEEE CloudCom 2012, Dec 2012
D. Nu˜nez, I. Agudo, et al., “Identity Management Challenges
for Intercloud Applications”, In STAVE 2011, June, 2011
I. Agudo, D. Nu˜nez, et al., “Cryptography Goes to the
Cloud”, In STAVE 2011, June, 2011
26. Outline Motivation State of the art Results Research Challenges
Next steps
Consider the (un)linkability problem
Granular access control
Deployment of prototype in cloud setting
More efficient and secure cryptographic solutions
27. Outline Motivation State of the art Results Research Challenges
Research Challenges
Leveraging user-centricity in identity management.
Enhancing users’ privacy in digital transactions that involve
their identity.
Interoperability of the solutions.
Solutions that reduce the trade-off between anonymity and
accountability.
Exploring and devising new cryptographic techniques for
protecting privacy on cloud-based settings.