Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems

The federated identity and access management systems facilitate the home domain organization users to access multiple resources (services) in the foreign domain organization by web single sign-on facility. In federated environment the user’s authentication is performed in the beginning of an authentication session and allowed to access multiple resources (services) until the current session is active. In current federated identity and access management systems the main security concerns are: (1) In home domain organization machine platforms bidirectional integrity measurement is not exist, (2) Integrated authentication (i.e., username/password and home domain machine platforms mutual attestation) is not present and (3) The resource (service) authorization in the foreign domain organization is not via the home domain machine platforms bidirectional attestation

Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments

Decentralized systems are a subset of distributed systems where multiple authorities control different components and no authority is fully trusted by all. This implies that any component in a decentralized system is potentially adversarial. We revise fifteen years of research on decentralization and privacy, and provide an overview of key systems, as well as key insights for designers of future systems. We show that decentralized designs can enhance privacy, integrity, and availability but also require careful trade-offs in terms of system complexity, properties provided, and degree of decentralization. These trade-offs need to be understood and navigated by designers. We argue that a combination of insights from cryptography, distributed systems, and mechanism design, aligned with the development of adequate incentives, are necessary to build scalable and successful privacy-preserving decentralized systems

Identity in research infrastructure and scientific communication: Report from the 1st IRISC workshop, Helsinki Sep 12-13, 2011

Motivation for the IRISC workshop came from the observation that identity and digital identification are increasingly important factors in modern scientific research, especially with the now near-ubiquitous use of the Internet as a global medium for dissemination and debate of scientific knowledge and data, and as a platform for scientific collaborations and large-scale e-science activities.

The 1 1/2 day IRISC2011 workshop sought to explore a series of interrelated topics under two main themes: i) unambiguously identifying authors/creators & attributing their scholarly works, and ii) individual identification and access management in the context of identity federations. Specific aims of the workshop included:

• Raising overall awareness of key technical and non-technical challenges, opportunities and developments.
• Facilitating a dialogue, cross-pollination of ideas, collaboration and coordination between diverse – and largely unconnected – communities.
• Identifying & discussing existing/emerging technologies, best practices and requirements for researcher identification.

This report provides background information on key identification-related concepts & projects, describes workshop proceedings and summarizes key workshop findings

The case for federated identity management in 5G communications

The heterogeneous nature of fifth generation mobile network (5G) makes the access and provision of network services very difficult and raises security concerns. With multi-users and multi-operators, Service-Oriented Authentication (SOA) and authorization mechanisms are required to provide quick access and interaction between network services. The users require seamless access to services regardless of the domain, type of connectivity or security mechanism used. Hence a need for Identity and Access Management (IAM) mechanism to complement the improved user experience promised in 5G. Federated Identity Management (FIdM) a feature of IAM, can provide a user with use Single Sign On (SSO) to access services from multiple Service Providers (SP). This addresses security requirements such as authentication, authorization and user’s privacy from the end user perspectives, however 5G networks access lacks such solution. We propose a Network Service Federated Identity (NS-FId) model that address these security requirements and complements the 5G Service- Based Architecture (SBA). We present different scenarios and applications of the proposed model. We also discuss the benefits of identity management in 5G