Author. Ginés Dólera Tormo. Advisors Dr. Félix Gómez Mármol (NEC Laboratories Europe) Prof. Dr. Gregorio Martínez Pérez (University of Murcia)

Transcription

1 Systems with Faculty of Computer Science ENHANCING USER CENTRIC IDENTITY MANAGEMENT SYSTEMS WITH REPUTATION MODELS IN DISTRIBUTED ENVIRONMENTS Author Advisors Dr. Félix Gómez Mármol (NEC Laboratories Europe) Prof. Dr. Gregorio Martínez Pérez () 31 st October Motivation & Goals Motivation Internet users hardly know who handled their data, and how User centric Identity system are becoming popular to deal with SSO + Privacy + User Control Yet, these systems present shortcomings in regards to trust Hardly applicable to distributed environments Systems present an elegant alternative to manage trust Users may find out the behavior of entities before interacting with them 2 31st October

2 Systems with Motivation & Goals Goals G Improve Identity solutions with Models aiming user centricity, adaptability and privacy G 1 Study the state of the art of user centric identity management systems and management systems G 2 Identify challenges that the integration of both concepts raises in distributed environments G 3 Design solutions toward achieving that integration G 4 Focus on accuracy, dynamism and privacy as key drivers G 5 Analyze the behavior of such solutions, through experiments, considering malicious users and entities. 3 in Solutions Composing this State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study 1 Accuracy & Dynamism 2 in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments 4 3 User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications st October

3 Systems with Identity State of the Art in OAuth Higgins Cardspace Requirement /Model Control via IdP Identity selector Zeroknowledge Confidentiality Successfully Successfully Successfully Single Sign On Successfully Successfully Successfully Auditing Successfully Successfully Limited Strong authentication Limited Successfully Successfully Justifiable parties (trust) Limited Limited Limited End user consent Limited Successfully Successfully Control of data Limited Successfully Successfully Usability Successfully Limited Limited Attribute revocation Successfully Limited Limited Self asserted attributes Limited Successfully Successfully Minimal disclosure Limited Limited Successfully 5 in management systems base trust on recommendations Integration between Identity & Systems Trustworthy? Fit with user centric Identity drawbacks Reliability Trustworthiness Dynamism Raise numerous open questions 6 31st October

4 Systems with in State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 7 OpenID Overview in Service Provider Access service OpenID Provider Redirect user for authentication Log in process (user sends credentials) Redirect back with Token Service retrieval 8 31st October

5 Systems with OpenID Overview + in Service Provider Access service Redirect user for authentication OpenID Provider Other OpenID Providers Log in process (user sends credentials) Service Provider information Redirect back with Token Request Service Provider recommendations Aggregate recommendations Service retrieval Send recommendation 8 Computation Engines in Different ways of aggregating recommendations Average Weighted Average Preferences Weighted Average User Weighted Average 9 31st October

6 Systems with Experiments Results in Computation Engine Number of Users System Conditions Number of OPs User Participation Network Resources Computer Resources Average Weighted Average Preferences Weighted Average + + Users Weighted Average Computation Engine Accuracy Performance Measurements User Adaptability Satisfaction Behavior with malicious users Behavior with malicious Ops Average + + Weighted Average Preferences Weighted Average Users Weighted Average ROMEO Simulator in 11 31st October

7 Systems with in State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 12 Solution Architecture Overview in Computation Engines Pool Recommendations Database Computation Engine 1 Computation Engine 2... Engine Selector Computation Engine n Swap status=active status=idle status=idle Monitor Define Evaluate System Conditions SC 1 SC... 2 SC m Performance Measurements PM 1 PM... 2 PM p Inference Rules R 1 1 R R 1? R 2 1 R R 2? R n 1 R n... 2 R n? 13 31st October

8 Systems with Fuzzy Sets and Smooth Transition in Inference rules defined using fuzzy sets Very High High Medium Low Very Low Smooth transition RCE Computation Engine 14 Experiments Results in Accuracy of different models in a dynamic environment 15 31st October

9 Systems with in State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 16 Scenario Elements Overview Care Coordinator (Identity Provider) in Goals Users get CSPs CSPs and APs get of each other Attribute Providers (APs) Direct trust Patient based trust Care Service Providers (CSPs) Weighted Average Privacy Goals Recommendations remain private Recommenders remain private Recommenders weights remain private 17 31st October

10 Systems with Advanced Care Coordinator Platform in Doctors INC MyDoctor.com Share Care Care Coordinator (Identity Provider) 2 Attribute Provider Patient provides feedback erecord 5 1 Patient requests assistance 3 Care Service Provider requests access to Patient Info Care Service Providers Care Givers Patient 18 in Privacy preserving Recommendations Aggregation Care Service Provider user 0 = ε( ) user 1 = ε( ) user 2 = ε( ) Identity Provider Aggregate recommendations Other Care Service Providers ε( ) ε ε(. ) 19 31st October

11 Systems with in Privacy preserving Recommendations Aggregation Care Service Provider user 0 = ε( ) user 1 = ε( ) user 2 = ε( ) Identity Provider Aggregate recommendations Patient (Bob) ε ε( ) user 0 = ε( ) user 1 = ε( ) user 2 = ε( ), 19 in State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 20 31st October

12 Systems with Privacy preserving Properties in Identity Provider Authentication ε() ε(similarity) End user App Store real users identity Identity Provider Application Store similarity between users users recommendations relate two users interactions 21 Solution Overview in End user request response Log in App Store pseudo id (p ID 1 ) Similarity request (p ID 1, other p IDs) Provides encrypted similarities Decrypts similarities and aggregates feedbacks accordingly Identity Provider Provides feedback Stores feedback Sends encrypted feedback Updates similarities and stores encrypted feedback 22 31st October

13 Systems with Update Encrypted Similarities in App Store Sends encrypted feedback i Identity Provider update(similarity i,1, feedback i ) update(similarity i,2, feedback i ) update(similarity i,3, feedback i ) update(similarity i,1, feedback i ) compare(feedback i, feedback j ) do they match? no yes ε(result) = ε(0) ε(result) = ε(1) ε(similarity i,j ) = ε(similarity i,j ) + ε(result) 23 in State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 24 31st October

14 Systems with Conclusions & Future Work State of the Art Identity management state of the art analysis Integration between user centric Identity system and Systems study Accuracy & Dynamism in distributed IdM (OpenID) Advanced Care Coordination Platform Privacy ROMEO Simulator Dynamic and Flexible Selection Bridging the Trust Gap in Environments User centric & privacy Towards privacy preserving management for Hybrid Broadcast Broadband applications 25 Conclusions & Future Work Future Work Bring developed mechanisms into a standardization body Enhancing the proposed solutions in order to assist administrators Study applicability and scope of advanced cryptographic techniques to preserve users' privacy Analyzing how presented integration could be applied to other contexts 26 31st October

15 Systems with Contributions Summary Book Chapters, Félix Gómez Mármol, Gregorio Martínez Pérez, "Identity in Cloud Systems", Security, Privacy and Trust in Cloud Systems, Springer, Eds: S. Nepal, M. Pathan, Part II Cloud Privacy and Trust, ISBN: , pp , Contributions Summary Journals with Impact Factor, Félix Gómez Mármol, Gregorio Martínez Pérez, Towards privacy preserving management for hybrid broadcast broadband applications, Computers & Security, 2014 [IF=1.172, Q2], Félix Gómez Mármol, Gregorio Martínez Pérez, "Dynamic and flexible selection of a mechanism for heterogeneous environments", Elsevier Future Generation Computer Systems, Special Issue on Trustworthy Data Fusion and Mining in Internet of Things, 2014 [IF=2.639, Q1], Félix Gómez Mármol, Gregorio Martínez Pérez, "Towards the integration of management ", Computer Standards & Interfaces, Special Issue on Secure Mobility in Future Communication Systems under Standardization, vol. 36, no. 3, pp , 2014 [IF=1.177, Q2], Félix Gómez Mármol, Joao Girao, Gregorio Martínez Pérez, "Identity management: In privacy we trust. Bridging the trust gap in e Health environments", IEEE Security & Privacy, Special Issue on Health IT Security and Privacy, vol. 11, no. 6, pp , 2013 [IF=0.721, Q3] 28 31st October

16 Systems with Contributions Summary Conferences, Félix Gómez Mármol, Gregorio Martínez Pérez, "ROMEO: ReputatiOn Model Enhancing OpenID Simulator", 19th European Symposium on Research in Computer Security (ESORICS), Security & Trust Workshop (STM), LNCS 8743, pp , Wroclaw, Poland, 07 11/09/2014, Félix Gómez Mármol, Gregorio Martínez Pérez, "On the Application of Trust and and User centric Techniques for Identity Systems", XII Spanish Meeting on Cryptology and Information Security (RECSI 2012), San Sebastián, Spain, 04 07/09/ Contributions Summary International Patents Joao Girao, Brigitta Lange, Nils Gruschka,, Félix Gómez Mármol, "Method to support an advanced home services coordination platform", US A1, 14/11/2013, Félix Gómez Mármol, "System and Method for determining a Mechanism", WO 2013/ A1, 08/02/ st October

17 Systems with Contributions Summary Complementary Work Journal with impact factor Daniel Díaz López,, Félix Gómez Mármol, Gregorio Martínez Pérez, "Managing XACML systems in distributed environments through Meta Policies", Computers & Security, 2014 [IF=1.172, Q2] Daniel Díaz López,, Félix Gómez Mármol, Gregorio Martínez Pérez, "Dynamic counter measures for risk based access control systems: an evolutive approach", Elsevier Future Generation Computer Systems, Special Issue on Trust, Security and Privacy in Distributed Systems, 2014 [IF=2.639, Q1] Daniel O. Díaz López,, Félix Gómez Mármol, José M. Alcaraz Calero, Gregorio Martínez Pérez, "Live digital, remember digital: State of the art and research challenges", Computers & Electrical Engineering, 40th year Commemorative Special Issue, vol. 40, no. 1, pp , 2014 [IF=0.992, Q3], Gabriel López Millán, Gregorio Martínez Pérez, "Definition of an advanced identity management infrastructure", International Journal of Information Security, vol. 12, no. 3, pp , June 2013 [IF=0.941, Q2] 31 Contributions Summary Complementary Work Open Source Software (protected with Intelectual Property Rights) OpenXKMS: Open source implementation of the W3C Recommendation of the XML Key Specification 2.0 UMU XACML Editor: Graphical editor for access control policy defition based on the XACML standard Mistral IdM: Identity management implementation with advanced authentication and authorization features, based on standards (SAML, XACML and XKMS) SAMLUtil: Helper implementation to provide common SAML functionality Identity Aggregator: Identity Manager between multiple stakeholders XACML WebPAP: User friendly web based Policy Administration Point for the XACML standard 32 31st October

18 Systems with Contributions Summary Summary Book chapters 1 Published Journal with impact factor 8 (4 included in the thesis + 4 complementary) Conferences 2 International Patents 2 Open Source Projects 6 33 Thanks for your attention Faculty of Computer Science ENHANCING USER CENTRIC IDENTITY MANAGEMENT SYSTEMS WITH REPUTATION MODELS IN DISTRIBUTED ENVIRONMENTS Author Advisors Dr. Félix Gómez Mármol (NEC Laboratories Europe) Prof. Dr. Gregorio Martínez Pérez () 31 st October st October

19 Notes

20