- Main research unit: Center for Research in Advanced Computing Systems (CRACS)
- Henrique Manuel Dinis Santos
- Luis Filipe Coelho Antunes
- Ricardo João Cruz Correia
- Ana Margarida Leite de Almeida Ferreira
- Luis Daniel Freitas Azevedo Maia
- Luís Manuel Magalhães Carvalho Valente Teixeira
- Rui André dos Reis Martins
- Start date: 2010 | End date: 2013
- Financing: €120,000.00 (FCT)
Project description: The explosive growth of the Internet is accelerating the need to move and translate essential real world societal infrastructures to the virtual world. These invisible threads are keeping and enabling digital societies populated by digital identities that need to be managed and secured in an effective way. As a consequence, Identity management as a whole plays a fundamental role in securing access to an increasing set of systems and applications in everyday services and associated communications.
More recently, the tendency has been to concentrate on identity models conceived to facilitate user centric identity management, in concert with a digital society more focused on increasing the individual reliable management of civil liberties, like privacy and freedom.
Individuals must be given the tools to be able to easily secure and exercise for themselves their basic privacy rights. They need to be able to define how much about them is publicly known on the Internet and by whom. With the continuing growth of the number of online services, users end up having their identities scattered across multiple systems throughout Internet. It is thus important to develop systems and processes that can help manage and control the access, and even the discloser and finality of these resources.
Federated Identity is the means by which web applications can offer users cross-domain single (SSO), which lets them authenticate once and thereafter gain access to protected resources and web sites elsewhere within the same federation domain. Federated identity management is a set of technologies and processes that let computer systems dynamically distribute identity information and delegate identity tasks across security domains [MERD08]. However attractive its benefits, federated identity imposes costs as well, entailing new and increased security and privacy risks because it shares valuable information across domains using loosely coupled network protocols [OID08]. Such risks require mitigation, which can range from preventing message replay to collecting user consent for data sharing in both online and offline scenarios.
Open ID is a decentralized system protocol 'for user centric identification and digital identity management in the Internet. It is a “single sign on" (SSO) system, thus it eliminates the need for multiple user names and passwords across different security domains, i.e in the Open ID universe relying parties. A replying party, sometimes designated has “service provider”, is the site that wants to verify the end-user´s identifier (RDRD06). Open ID allows users to add as much attributes as they believe that best describes them and assume profiles, also called Personas.
Under this context we have developed the EOID server and associated Firefox plugin. EOID is a user friendly and more secure solution regarding identity management. It implements the OpenID 2.0 protocol combined with java smart card technology for strong authentication in the form of the new Portuguese Citizen´s Card. We have also developed a plugin for the Firefox browser in order to provide the user with the sponsorship of SAPO ISP within the 2008 summerbits initiative.
With OFELIA, we are proposing the study, conceptualization and implementation of new ideas and extensions for federated identity management and federated authorization mechanisms by using and levering the work we have already developed for EOID (FRFADCM09). On identity management we want to explore the idea of having sensitive identity attributes directly stored on a user’s personal mobile secured wallet. This wallet could be a smart card, a PDA or even a personal mobile phone. We want to develop new extensions for the OpenID protocol that will allow for the secure communication of especially sensitive identification attributes from user a personal wallet, through the identity server, to an authorized relying party requesting them.
These attributes reside on user personal devices and can only be disclosed at the user discretion. To make this service even more user empowering and applicable under more rigorous contexts, like clinical health records, we want to further explore new ideas in the use of “valet key” authorization mechanisms for the issue and user-centric management of temporal automatic access authorization for strongly identified entities on a federation of trusted identity providers. This user centred model imposes new requirements to authentication and we also want to explore the use of biometrics in federated environments to secure the issue of valet authorization keys in contexts where the use of other authentication mechanisms like smart cards or passwords are not so appropriate, e.g on clinical settings where a doctor needs to quickly prove that he has the right to use a “valet key” that gives him access to a patients clinical record.
- Project at FCT - (PTDC/EIA-EIA/104328/2008)