Strengthening and formally verifying privacy in identity management systems

In a digital world, users’ Personally Identifiable Information (PII) is normally managed with a system called an Identity Management System (IMS). There are many types of IMSs. There are situations when two or more IMSs need to communicate with each other (such as when a service provider needs to obtain some identity information about a user from a trusted identity provider). There could be interoperability issues when communicating parties use different types of IMS. To facilitate interoperability between different IMSs, an Identity Meta System (IMetS) is normally used. An IMetS can, at least theoretically, join various types of IMSs to make them interoperable and give users the illusion that they are interacting with just one IMS. However, due to the complexity of an IMS, attempting to join various types of IMSs is a technically challenging task, let alone assessing how well an IMetS manages to integrate these IMSs. The first contribution of this thesis is the development of a generic IMS model called the Layered Identity Infrastructure Model (LIIM). Using this model, we develop a set of properties that an ideal IMetS should provide. This idealized form is then used as a benchmark to evaluate existing IMetSs. Different types of IMS provide varying levels of privacy protection support. Unfortunately, as observed by Jøsang et al (2007), there is insufficient privacy protection in many of the existing IMSs. In this thesis, we study and extend a type of privacy enhancing technology known as an Anonymous Credential System (ACS). In particular, we extend the ACS which is built on the cryptographic primitives proposed by Camenisch, Lysyanskaya, and Shoup. We call this system the Camenisch, Lysyanskaya, Shoup - Anonymous Credential System (CLS-ACS). The goal of CLS-ACS is to let users be as anonymous as possible. Unfortunately, CLS-ACS has problems, including (1) the concentration of power to a single entity - known as the Anonymity Revocation Manager (ARM) - who, if malicious, can trivially reveal a user’s PII (resulting in an illegal revocation of the user’s anonymity), and (2) poor performance due to the resource-intensive cryptographic operations required. The second and third contributions of this thesis are the proposal of two protocols that reduce the trust dependencies on the ARM during users’ anonymity revocation. Both protocols distribute trust from the ARM to a set of n referees (n > 1), resulting in a significant reduction of the probability of an anonymity revocation being performed illegally. The first protocol, called the User Centric Anonymity Revocation Protocol (UCARP), allows a user’s anonymity to be revoked in a user-centric manner (that is, the user is aware that his/her anonymity is about to be revoked). The second protocol, called the Anonymity Revocation Protocol with Re-encryption (ARPR), allows a user’s anonymity to be revoked by a service provider in an accountable manner (that is, there is a clear mechanism to determine which entity who can eventually learn - and possibly misuse - the identity of the user). The fourth contribution of this thesis is the proposal of a protocol called the Private Information Escrow bound to Multiple Conditions Protocol (PIEMCP). This protocol is designed to address the performance issue of CLS-ACS by applying the CLS-ACS in a federated single sign-on (FSSO) environment. Our analysis shows that PIEMCP can both reduce the amount of expensive modular exponentiation operations required and lower the risk of illegal revocation of users’ anonymity. Finally, the protocols proposed in this thesis are complex and need to be formally evaluated to ensure that their required security properties are satisfied. In this thesis, we use Coloured Petri nets (CPNs) and its corresponding state space analysis techniques. All of the protocols proposed in this thesis have been formally modeled and verified using these formal techniques. Therefore, the fifth contribution of this thesis is a demonstration of the applicability of CPN and its corresponding analysis techniques in modeling and verifying privacy enhancing protocols. To our knowledge, this is the first time that CPN has been comprehensively applied to model and verify privacy enhancing protocols. From our experience, we also propose several CPN modeling approaches, including complex cryptographic primitives (such as zero-knowledge proof protocol) modeling, attack parameterization, and others. The proposed approaches can be applied to other security protocols, not just privacy enhancing protocols.

Identity management : strengthening one-time password authentication through usability

Usability in HCI (Human-Computer Interaction) is normally understood as the simplicity and clarity with which the interaction with a computer program or a web site is designed. Identity management systems need to provide adequate usability and should have a simple and intuitive interface. The system should not only be designed to satisfy service provider requirements but it has to consider user requirements, otherwise it will lead to inconvenience and poor usability for users when managing their identities. With poor usability and a poor user interface with regard to security, it is highly likely that the system will have poor security. The rapid growth in the number of online services leads to an increasing number of different digital identities each user needs to manage. As a result, many people feel overloaded with credentials, which in turn negatively impacts their ability to manage them securely. Passwords are perhaps the most common type of credential used today. To avoid the tedious task of remembering difficult passwords, users often behave less securely by using low entropy and weak passwords. Weak passwords and bad password habits represent security threats to online services. Some solutions have been developed to eliminate the need for users to create and manage passwords. A typical solution is based on generating one-time passwords, i.e. passwords for single session or transaction usage. Unfortunately, most of these solutions do not satisfy scalability and/or usability requirements, or they are simply insecure. In this thesis, the security and usability aspects of contemporary methods for authentication based on one-time passwords (OTP) are examined and analyzed. In addition, more scalable solutions that provide a good user experience while at the same time preserving strong security are proposed.

Corporate brand identity management in a technological faculty – how brand relationships influence students and companies reputations

Identity is traditionally defined as an emission concept [1]. Yet, some research points out that there are external factors that can influence it [2]; [3]; [4]. This subject is even more relevant if one considers corporate brands. According to Aaker [5] the number, the power and the credibility of corporate associations are bigger in the case of corporate brands. Literature recognizes the influence of relationships between companies in identity management. Yet, given the increasingly important role of corporate brands, it is surprising that to date no attempt to evaluate that influence has been made in the management of corporate brand identity. Also Keller and Lehman [6] highlight relationships and costumer experience as two areas requiring more investigation. In line with this, the authors intend to develop an empirical research in order to evaluate the influence of relationships between brands in the identity of corporate brand from an internal perspective by interviewing internal stakeholders (brand managers and internal clients). This paper is organized by main contents: theoretical background, research methodology, data analysis and conclusions and finally cues to future investigation.

Current Trends in Pan-European Identity Management Systems

The demand for electronic identity has grown as a result of governments? promotion of e-Government, in which the citizen-public administration relationship often has a strictly personal nature and requires digital identification systems that are univocal, secure, and global. The management of this identity by public administrations is an important challenge, accentuated when interoperability among public administrations of different countries become necessary. In this paper current trends in pan-euroean identity management systems are analysized and a outlook of the future European scenary is shown.

Is Europe ready to provide a pan-European Identity Management System?

European public administrations must manage citizens' digital identities, particularly considering interoperability among different countries. Owing to the diversity of electronic identity management (eIDM) systems, when users of one such system seek to communicate with governments using a different system, both systems must be linked and understand each other. To achieve this, the European Union is working on an interoperability framework. This article provides an overview of eIDM systems' current state at a pan-European level. It identifies and analyzes issues on which agreement exists, as well as those that aren't yet resolved and are preventing the adoption of a large-scale model.

Internet of things virtualization and identity management via fiware generic enablers

La iniciativa FIWARE ofrece un conjunto de APIs potentes que proporcionan la base para una innovación rápida y eficiente en el Internet del Futuro. Estas APIs son clave en el desarrollo de aplicaciones que usan tecnologías muy recientes e innovadoras, como el Internet de las cosas o la Gestión de Identidad en módulos de seguridad. Este documento presenta el desarrollo de una aplicación web de FIWARE usando componentes virtualizados en máquinas virtuales. La aplicación web está basada en “la fábrica de chocolate de Willy Wonka” como una implementación metafórica de una aplicación de seguridad e IoT en un entorno industrial. El componente principal es un servidor web en node.js que conecta con varios componentes de FIWARE, conocidos como “Generic Enablers”. La implementación está compuesta por dos módulos principales: el módulo de IoT y el módulo de seguridad. El módulo de IoT gestiona los sensores instalados por Willy Wonka en las salas de fábrica para monitorizar varios parámetros como, por ejemplo, la temperatura, la presión o la ocupación. El módulo de IoT crea y recibe información de contexto de los sensores virtuales. Esta información de contexto es gestionada y almacenada en un componente de FIWARE conocido como Context Broker. El Context Broker está basado en mecanismos de subscripciones que postean los datos de los sensores en la aplicación, en tiempo real y cuando estos cambian. La conexión con el cliente se produce mediante Web Sockets (socket.io). El módulo de seguridad gestiona las cuentas y la información de los usuarios, les autentica en la aplicación usando una cuenta de FIWARE y comprueba la autorización para acceder a distintos recursos. Distintos roles son creados con distintos permisos asignados. Por ejemplo, Willy Wonka puede tener acceso a todos los recursos, mientras que un Oompa Loopa encargado de la sala del chocolate solo deberías de tener acceso a los recursos de su sala. Este módulo está compuesto por tres componentes: el Gestor de Identidades, el PEP Proxy y el PDP AuthZForce. El gestor de identidades almacena las cuentas de FIWARE de los usuarios y permite la autenticación Single Sing On usando el protocolo OAuth2. Tras logearse, los usuarios autenticados reciben un token de autenticación que es usado después por el AuthZForce para comprobar el rol y permiso asociado del usuario. El PEP Proxy actúa como un servidor proxy que redirige las peticiones permitidas y bloquea las no autorizadas.

A tudásreprezentáció és a tudásmegosztás információtechnológiai megoldásai a személyazonosság-menedzsment területén (Knowledge Representation and Sharing for Identity Management Domain)

A személyazonosság-menedzsment napjaink fontos kutatási területe mind elméleti, mind gyakorlati szempontból. A szakterületen megvalósuló együttműködés, elektronikus tudásáramoltatás és csere hosszú távon csak úgy képzelhető el, hogy az azonos módon történő értelmezést automatikus eszközök támogatják. A szerző cikkében azokat a kutatási tevékenységeket foglalja össze, amelyeket - felhasználva a tudásmenedzsment, a mesterséges intelligencia és az információtechnológia eszközeit - a személyazonosság-menedzsment terület fogalmi leképezésére, leírására használt fel. Kutatási célja olyan közös fogalmi bázis kialakítása volt személyazonosság-menedzsment területre, amely lehetővé teszi az őt körülvevő multidimenzionális környezet kezelését. A kutatás kapcsolódik a GUIDE kutatási projekthez is, amelynek a szerző résztvevője. ______________ Identity management is an important research field from theoretical and practical aspects as well. The task itself is not new, identification and authentication was necessary always in public administration and business life. Information Society offers new services for citizens, which dramatically change the way of administration and results additional risks and opportunities. The goal of the demonstrated research was to formulate a common basis for the identity management domain in order to support the management of the surrounding multidimensional environment. There is a need for capturing, mapping, processing knowledge concerning identity management in order to support reusability, interoperability; to help common sharing and understanding the domain and to avoid inconsistency. The paper summarizes research activities for the identification, conceptualisation and representation of domain knowledge related to identity management, using the results of knowledge management, artificial intelligence and information technology. I utilized the experiences of Guide project, in which I participate. The paper demonstrates, that domain ontologies could offer a proper solution for identity management domain conceptualisation.

Using performance management systems as identity products

This paper explores how the effective use of performance management systems (PMS) essentialises collective identities through the use of textual performances. The discursive effect of PMS operates to simplify members’ logic to allow them to understand and negotiate the complex nature of collective performance. Two case studies, drawing on a qualitative study of the implementation of PMS in two public sector organisations, point to the unique contribution of symbolic effects of one popular PMS, the balanced scorecard (BSC). Findings suggest that the BSC visualising the trajectory of achieving organisational vision through multiple perspectives, measures and linkages is a valuable identity product to achieve organisational success. The case studies also provide an analysis that contrasts aspects of the diffusion and promotion of collective identities through the use of the BSC. This demonstrates that clear direction in the identity management process is an important factor in the design and implementation of successful PMS programs. The value of this paper is to heighten recognition of the symbolic agency of PMS, as it serves as a subtle mechanism for identity management, and also to foster the collaboration of communication specialists and management accountants to achieve common organisational goals.

Professional identity of management accountants : leadership in changing environments

The professional identity of management accountants (MAs) is evolving. According to 8,727 descriptors expressed by 1,158 participants, a range of characteristics of MAs are competing in shaping the identity of future MAs. Respondents strongly valued qualities such as professional principles, hard work, intelligence, analytical and forward thinking in MAs. Further, more innovative, dynamic and people-oriented qualities were strongly suggested for future MAs, with roles relating to multi-skilled business integrator, business partner/advisor, leader, change agent, and decision enabler/maker. Cultivating leadership qualities in the management accounting profession is critical according to participants. Projecting a positive image of the profession and CIMA, and innovative training in management and leadership skills can further support MAs to meet future challenges. Most of all, understanding business and continued personal development by individual MAs is highly valued in shaping the future leadership identity of MAs. Our quantitative data show positive relationships between the professional identification, image and reputation, and leadership qualities of MAs. This suggests that the more one identifies with the profession, the more one is likely to report higher levels of leadership qualities that support members to internalise the desired meaning of their profession and to create a positive image and reputation. After the financial crisis of 2008–2009, the image of financial professions has been tarnished and unpredictable markets and unstable employment opportunities have challenged the profession across all sectors. Many respondents, especially CIMA members, suggested that the turmoil of the financial crisis did not impact negatively but rather elevated the pivotal role of MAs in contributing to cost efficiency and value creation.

Privacy and trust management for electronic health records

Establishing a nationwide Electronic Health Record system has become a primary objective for many countries around the world, including Australia, in order to improve the quality of healthcare while at the same time decreasing its cost. Doing so will require federating the large number of patient data repositories currently in use throughout the country. However, implementation of EHR systems is being hindered by several obstacles, among them concerns about data privacy and trustworthiness. Current IT solutions fail to satisfy patients’ privacy desires and do not provide a trustworthiness measure for medical data. This thesis starts with the observation that existing EHR system proposals suer from six serious shortcomings that aect patients’ privacy and safety, and medical practitioners’ trust in EHR data: accuracy and privacy concerns over linking patients’ existing medical records; the inability of patients to have control over who accesses their private data; the inability to protect against inferences about patients’ sensitive data; the lack of a mechanism for evaluating the trustworthiness of medical data; and the failure of current healthcare workflow processes to capture and enforce patient’s privacy desires. Following an action research method, this thesis addresses the above shortcomings by firstly proposing an architecture for linking electronic medical records in an accurate and private way where patients are given control over what information can be revealed about them. This is accomplished by extending the structure and protocols introduced in federated identity management to link a patient’s EHR to his existing medical records by using pseudonym identifiers. Secondly, a privacy-aware access control model is developed to satisfy patients’ privacy requirements. The model is developed by integrating three standard access control models in a way that gives patients access control over their private data and ensures that legitimate uses of EHRs are not hindered. Thirdly, a probabilistic approach for detecting and restricting inference channels resulting from publicly-available medical data is developed to guard against indirect accesses to a patient’s private data. This approach is based upon a Bayesian network and the causal probabilistic relations that exist between medical data fields. The resulting definitions and algorithms show how an inference channel can be detected and restricted to satisfy patients’ expressed privacy goals. Fourthly, a medical data trustworthiness assessment model is developed to evaluate the quality of medical data by assessing the trustworthiness of its sources (e.g. a healthcare provider or medical practitioner). In this model, Beta and Dirichlet reputation systems are used to collect reputation scores about medical data sources and these are used to compute the trustworthiness of medical data via subjective logic. Finally, an extension is made to healthcare workflow management processes to capture and enforce patients’ privacy policies. This is accomplished by developing a conceptual model that introduces new workflow notions to make the workflow management system aware of a patient’s privacy requirements. These extensions are then implemented in the YAWL workflow management system.

Gender and National Identity Constructions in the Cross-Border Merger Context

In this article we explore ways in which vertical gender inequality is accomplished in discourse in the context of a recent chain of cross-border mergers and acquisitions that resulted in the formation of a multinational Nordic company. We analyse social interactions of ‘doing’ gender in interviews with male senior executives from Denmark, Finland and Sweden. We argue that their explanations for the absence of women in the top echelons of the company serve to distance vertical gender inequality. The main contribution of the article is an analysis of how national identities are discursively (re)constructed in such distancing. New insights are offered to studying gender in multinationals with a cross-cultural team of researchers. Our study sheds light on how gender intersects with nationality in shaping the multinational organization and the identities of male executives in globalizing business.

User Profile Management and Selection in Context-Aware Service Platforms for Networks Beyond 3G

In recent years, progress in the area of mobile telecommunications has changed our way of life, in the private as well as the business domain. Mobile and wireless networks have ever increasing bit rates, mobile network operators provide more and more services, and at the same time costs for the usage of mobile services and bit rates are decreasing. However, mobile services today still lack functions that seamlessly integrate into users’ everyday life. That is, service attributes such as context-awareness and personalisation are often either proprietary, limited or not available at all. In order to overcome this deficiency, telecommunications companies are heavily engaged in the research and development of service platforms for networks beyond 3G for the provisioning of innovative mobile services. These service platforms are to support such service attributes. Service platforms are to provide basic service-independent functions such as billing, identity management, context management, user profile management, etc. Instead of developing own solutions, developers of end-user services such as innovative messaging services or location-based services can utilise the platform-side functions for their own purposes. In doing so, the platform-side support for such functions takes away complexity, development time and development costs from service developers. Context-awareness and personalisation are two of the most important aspects of service platforms in telecommunications environments. The combination of context-awareness and personalisation features can also be described as situation-dependent personalisation of services. The support for this feature requires several processing steps. The focus of this doctoral thesis is on the processing step, in which the user’s current context is matched against situation-dependent user preferences to find the matching user preferences for the current user’s situation. However, to achieve this, a user profile management system and corresponding functionality is required. These parts are also covered by this thesis. Altogether, this thesis provides the following contributions: The first part of the contribution is mainly architecture-oriented. First and foremost, we provide a user profile management system that addresses the specific requirements of service platforms in telecommunications environments. In particular, the user profile management system has to deal with situation-specific user preferences and with user information for various services. In order to structure the user information, we also propose a user profile structure and the corresponding user profile ontology as part of an ontology infrastructure in a service platform. The second part of the contribution is the selection mechanism for finding matching situation-dependent user preferences for the personalisation of services. This functionality is provided as a sub-module of the user profile management system. Contrary to existing solutions, our selection mechanism is based on ontology reasoning. This mechanism is evaluated in terms of runtime performance and in terms of supported functionality compared to other approaches. The results of the evaluation show the benefits and the drawbacks of ontology modelling and ontology reasoning in practical applications.