Establishing and protecting digital identity in federation systems

We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information amongst themselves. Our solution supports a step by step approach according to which an individual can first establish a digital identity followed by a secure and protected use of such identity. We first introduce a flexible approach to establish a single sign-on (SSO) ID in a federation. Then we show how a user can leverage this SSO ID to establish certified and uncertified user identity attributes without the dependence on PKI for user authentication. This makes the process more usable and enhances privacy. The major contribution of this paper is a novel solution for protection against identity theft of these identity attributes. Our approach is based on the use of zero-knowledge proof protocols and distributed hash tables. Revocation mechanisms of the identity attributes are also developed. We illustrate how current revocation techniques can benefit from the underlying federation framework and the use of distributed hash tables. Finally, we formally prove correctness and provide complexity results for our protocols. The complexity results show that our approach is efficient. In the paper we also show that the protocol is robust enough even in the case of semi-trusted "honest-yet curious" service providers, thus preventing against insider threat. We believe that the approach represents a precursor to new and innovative cryptographic techniques which can provide solutions for the security and privacy problems in federated identity management.