SlideShare a Scribd company logo
Privacy-preserving user identity
in Identity-as-a-Service
Tri Hoang Vo
Deutsche Telekom
21st Innovation in Clouds, Internet and Networks
On behalf of
Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences
Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
1. introduction
identity management (IDM)
• Personal Identifiable Information (PII) is information of a person (e.g., home address, tax
identification number) which makes it possible to identify such individual.
• Application requires PII to:
 Authorise a user request (Attribute-based Access Control).
 Complete a business transaction.
• PII may be stored in a central Identity Provider (IdP) for multiple applications to use.
 Advantages: SSO, less management cost for each application.
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 2
1. introduction
Federated Identity management
Use case:
• Employees of Telekom use Cloud services hosted by Salesforce.
Solution:
• Employees authenticate at Telekom IdP & access Cloud services at Salesforce.
• We may transfer PII from Telekom (trusted domain) to Salesforce (visitor domain).
Problem:
• How to control Cloud services to access user data?
• How to prevent honest-but-curious, malware, and malicious IdP?
• How to prevent Salesforce operators to access user data (insider attack)?
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 3
2. Related work
OAUTH?
• Service Provider (SP) redirects user to an authorisation server & ask for user permission (yes/no).
• Limitations:
 No fined grained access control.
 Requires user interaction over frontend service  hidden chain of services not support.
 Relies on an authorisation server  honest-but-curious, insider attack.
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 4
2. Related work
Anonymous credentials
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 5
• User performs Zero-knowledge Proof to an SP.
• Implementations:
• Idemix (IBM), U-Prove (Microsoft).
• ABC4Trust.
• Limitations:
 User interaction over frontend service  Limitation for hidden chain of services.
 Works in one domain only  Federated IDM (multiple domains) not support.
3. solution
idea: EU Data Protection Directive
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 6
OECD Privacy guidelines:
• Data gathered for one purpose cannot be used for another purpose without user consent.
• After the purposes (for gathering data) are fulfilled, data must be deleted.
EU Data Protection Directive:
• PII only be transferred to a third country if that country provides an adequate level of protection.
 Disclosure policy based on: purpose, time, and domain (/country).
3. solution
purpose-aware attribute-based encryption
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 7
1. A trusted IdP encrypts user data & distribute it to federated IDM (e.g., Id1, Id2).
 User data is encrypted with a disclosure policy.
2. User authenticates to the trusted IdP & get a cryptographic “time“ token.
3. SP1 receives the “time“ token & requests an environmental “purpose“ token.
 SP1 combines the “time“ token with the “purpose” token to decrypt user data.
 Decryption works if the “time” and the “purpose” token satisfy the disclosure policy.
4. SP1 may forward the “time” token to a partner service (e.g., SP2 in Amazon).
4. implemtation
disclosure policy example
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 8
User data is disclosed if it is used:
• To complete a current transaction.
• For the purposes of “purchase” and “delivery”.
• For all Cloud services hosted by “Salesforce” in “EU”.
• In a limited time.
Encrypt with pub key of Telekom
Encrypt with pub key of Salesforce
4. implemtation
time token
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 9
Time token
bind to transaction id
bind to user id
4. implemtation
purpose token
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 10
Purpose token
bind to transaction id
bind to user id
• If token combination satisfies disclosure policy  Decryption works.
• Tokens of different user id and transaction id  decryption fails  prevent collusion attack.
5. results
22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 11
Evaluation:
• Performance is fast (token generation 300ms, decryption 20ms)  See paper.
Solved:
• Insider attack (user data is encrypted in visitor domains).
• Malicious hosting, honest-but-curious IdP (tamper codes  cryptographic computation fails).
Usability:
• Cryptographic computation is the authorisation itself.
 Our mechanism is used where no authorisation server needed.
• Purpose-aware access control (vs. traditional access control like RBAC) is suitable for sharing
sensitive user information in a large distributed and heterogeneous environment.
 Internet of things.

More Related Content

What's hot

Cyber Security
Cyber Security Cyber Security
Cyber Security
Gururaj H L
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
Iaetsd Iaetsd
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET Journal
 
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
Codemotion
 
Leveraging the Power of Image Tokens
Leveraging the Power of Image TokensLeveraging the Power of Image Tokens
Leveraging the Power of Image Tokens
Hughes Systique Corporation
 
GDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreGDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | Seclore
Seclore
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Test
khant14
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of Things
International Institute of Communications
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
politegcuf
 
Seclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore for Forcepoint DLP
Seclore for Forcepoint DLP
Seclore
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh   The Major Security Issues In E CommerceEamonn O Raghallaigh   The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
EamonnORagh
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce  Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
E commerce security
E commerce securityE commerce security
E commerce security
Shakti Singh
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
Nishant Pahad
 
Customer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreCustomer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | Seclore
Seclore
 
IQProtector Suite
IQProtector SuiteIQProtector Suite
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
nikitaTahilyani1
 
Dw communication
Dw communicationDw communication
Dw communication
Arjun Chetry
 
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldGARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
Sri Chilukuri
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions
Seclore
 

What's hot (20)

Cyber Security
Cyber Security Cyber Security
Cyber Security
 
Iaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured emailIaetsd secure emails an integrity assured email
Iaetsd secure emails an integrity assured email
 
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression TechniquesIRJET- A Survey on Cryptography, Encryption and Compression Techniques
IRJET- A Survey on Cryptography, Encryption and Compression Techniques
 
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
dev.privacy: GDPR in a nutshell - Evan Tedeschi - Codemotion Rome 2018
 
Leveraging the Power of Image Tokens
Leveraging the Power of Image TokensLeveraging the Power of Image Tokens
Leveraging the Power of Image Tokens
 
GDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | SecloreGDPR Compliance & Data-Centric Security | Seclore
GDPR Compliance & Data-Centric Security | Seclore
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Test
 
Towards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of ThingsTowards a Privacy-Friendly Internet of Things
Towards a Privacy-Friendly Internet of Things
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
 
Seclore for Forcepoint DLP
Seclore for Forcepoint DLPSeclore for Forcepoint DLP
Seclore for Forcepoint DLP
 
Eamonn O Raghallaigh The Major Security Issues In E Commerce
Eamonn O Raghallaigh   The Major Security Issues In E CommerceEamonn O Raghallaigh   The Major Security Issues In E Commerce
Eamonn O Raghallaigh The Major Security Issues In E Commerce
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce  Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Web security for e-commerce
Web security for e-commerceWeb security for e-commerce
Web security for e-commerce
 
Customer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | SecloreCustomer Data Privacy & Protection | Seclore
Customer Data Privacy & Protection | Seclore
 
IQProtector Suite
IQProtector SuiteIQProtector Suite
IQProtector Suite
 
Security issues in E-commerce
Security issues in E-commerceSecurity issues in E-commerce
Security issues in E-commerce
 
Dw communication
Dw communicationDw communication
Dw communication
 
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud WorldGARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
GARTNER IT EXPO - Protecting Content in a Mobile & Cloud World
 
Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions Mcafee CASB/DLP + Seclore Rights Management Solutions
Mcafee CASB/DLP + Seclore Rights Management Solutions
 

Similar to Privacy-preserving user identity in Identity-as-a-Service

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
Editor IJMTER
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Ulf Mattsson
 
GDPR- The Buck Stops Here
GDPR-  The Buck Stops HereGDPR-  The Buck Stops Here
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
Ulf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
Ulf Mattsson
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
Digital Transformation EXPO Event Series
 
Data Security Whitepaper
Data Security WhitepaperData Security Whitepaper
Data Security Whitepaper
Sample Solutions
 
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
ForgeRock
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta   ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta   ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on Cloud
IRJET Journal
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
Omo Osagiede
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson
 
Nimbox presentation
Nimbox presentationNimbox presentation
Nimbox presentation
Jason Newell
 
Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...
Hoang Tri Vo
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
OKsystem
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
George Delikouras
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 

Similar to Privacy-preserving user identity in Identity-as-a-Service (20)

ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
GDPR- The Buck Stops Here
GDPR-  The Buck Stops HereGDPR-  The Buck Stops Here
GDPR- The Buck Stops Here
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
 
Data Security Whitepaper
Data Security WhitepaperData Security Whitepaper
Data Security Whitepaper
 
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta   ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta   ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on Cloud
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Nimbox presentation
Nimbox presentationNimbox presentation
Nimbox presentation
 
Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
Encrytpion information security last stand
Encrytpion information security last standEncrytpion information security last stand
Encrytpion information security last stand
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 

Recently uploaded (19)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 

Privacy-preserving user identity in Identity-as-a-Service

  • 1. Privacy-preserving user identity in Identity-as-a-Service Tri Hoang Vo Deutsche Telekom 21st Innovation in Clouds, Internet and Networks On behalf of Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
  • 2. 1. introduction identity management (IDM) • Personal Identifiable Information (PII) is information of a person (e.g., home address, tax identification number) which makes it possible to identify such individual. • Application requires PII to:  Authorise a user request (Attribute-based Access Control).  Complete a business transaction. • PII may be stored in a central Identity Provider (IdP) for multiple applications to use.  Advantages: SSO, less management cost for each application. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 2
  • 3. 1. introduction Federated Identity management Use case: • Employees of Telekom use Cloud services hosted by Salesforce. Solution: • Employees authenticate at Telekom IdP & access Cloud services at Salesforce. • We may transfer PII from Telekom (trusted domain) to Salesforce (visitor domain). Problem: • How to control Cloud services to access user data? • How to prevent honest-but-curious, malware, and malicious IdP? • How to prevent Salesforce operators to access user data (insider attack)? 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 3
  • 4. 2. Related work OAUTH? • Service Provider (SP) redirects user to an authorisation server & ask for user permission (yes/no). • Limitations:  No fined grained access control.  Requires user interaction over frontend service  hidden chain of services not support.  Relies on an authorisation server  honest-but-curious, insider attack. 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 4
  • 5. 2. Related work Anonymous credentials 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 5 • User performs Zero-knowledge Proof to an SP. • Implementations: • Idemix (IBM), U-Prove (Microsoft). • ABC4Trust. • Limitations:  User interaction over frontend service  Limitation for hidden chain of services.  Works in one domain only  Federated IDM (multiple domains) not support.
  • 6. 3. solution idea: EU Data Protection Directive 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 6 OECD Privacy guidelines: • Data gathered for one purpose cannot be used for another purpose without user consent. • After the purposes (for gathering data) are fulfilled, data must be deleted. EU Data Protection Directive: • PII only be transferred to a third country if that country provides an adequate level of protection.  Disclosure policy based on: purpose, time, and domain (/country).
  • 7. 3. solution purpose-aware attribute-based encryption 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 7 1. A trusted IdP encrypts user data & distribute it to federated IDM (e.g., Id1, Id2).  User data is encrypted with a disclosure policy. 2. User authenticates to the trusted IdP & get a cryptographic “time“ token. 3. SP1 receives the “time“ token & requests an environmental “purpose“ token.  SP1 combines the “time“ token with the “purpose” token to decrypt user data.  Decryption works if the “time” and the “purpose” token satisfy the disclosure policy. 4. SP1 may forward the “time” token to a partner service (e.g., SP2 in Amazon).
  • 8. 4. implemtation disclosure policy example 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 8 User data is disclosed if it is used: • To complete a current transaction. • For the purposes of “purchase” and “delivery”. • For all Cloud services hosted by “Salesforce” in “EU”. • In a limited time. Encrypt with pub key of Telekom Encrypt with pub key of Salesforce
  • 9. 4. implemtation time token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 9 Time token bind to transaction id bind to user id
  • 10. 4. implemtation purpose token 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 10 Purpose token bind to transaction id bind to user id • If token combination satisfies disclosure policy  Decryption works. • Tokens of different user id and transaction id  decryption fails  prevent collusion attack.
  • 11. 5. results 22.02.2018Tri Hoang Vo / Privacy-preserving user identity in IDaaS 11 Evaluation: • Performance is fast (token generation 300ms, decryption 20ms)  See paper. Solved: • Insider attack (user data is encrypted in visitor domains). • Malicious hosting, honest-but-curious IdP (tamper codes  cryptographic computation fails). Usability: • Cryptographic computation is the authorisation itself.  Our mechanism is used where no authorisation server needed. • Purpose-aware access control (vs. traditional access control like RBAC) is suitable for sharing sensitive user information in a large distributed and heterogeneous environment.  Internet of things.