IFIP IDMAN 2010 Conference Program
The conference was held on Nov. 18-19, 2010 in Oslo, Norway, at The Norwegian Computing Center. The proceedings are now available as:
de Leeuw, Elisabeth; Fischer-Hübner, Simone; Fritsch, Lothar (Eds.): "Policies and Research in Identity Management"
Proceedings of the Second IFIP WG 11.6 Working Conference, IDMAN 2010, Oslo, ISBN: 978-3-642-17302-8, Springer, 2010
Conference General Chair
- Elisabeth de Leeuw, Rotterdam, The Netherlands
Programme Committee co-Chairs
- Simone Fischer-Hübner, Karlstad University, Sweden
- Lothar Fritsch, Norwegian Computing Center, Norway
- John Borking, Borking Consultancy, The Netherlands
Key note speakers
IDMAN 2010 invited the following key note speakers:
Dr. Melanie Volkamer, Senior Researcher, Center for Advanced Security Research Darmstadt (CASED), Technical University Darmstadt
Security in electronic voting systems: Electronic voting has a young and attractive history, both in the design of basic cryptographic methods and protocols and in the application by communities who are in the vanguard of technologies. The crucial aspect of security for electronic voting systems is subject to research by computer scientists as well as by legal, social and political scientists. The essential question is how to provide a trustworthy base for secure electronic voting, and hence how to prevent accidental or malicious abuse of electronic voting in elections. The handling of electronic and real identities, both in identifiable and anonymized ways, is one of the key challenges in electronic voting.
Presentation: Security and Trust in Electronic Voting (pdf)
Caspar Bowden, Chief Privacy Advisor at Microsoft
The Microsoft roadmap for U-Prove and identity architecture: U-Prove is a cryptographic technology that enables the issuance and presentation of cryptographically protected claims in a manner that provides multi-party security: issuing organizations, users, and relying parties can protect themselves not just against outsider attacks but also against attacks originating from each other. At the same time, the U-Prove technology enables any desired degree of privacy (including authenticated anonymity and pseudonymity) without contravening multi-party security. These user-centric aspects make the U-Prove technology ideally suited to create the digital equivalent of paper-based credentials and the plastic cards in one's wallet. This talk will present the roadmap for U-Prove and identity architectures at Microsoft.
Presentation: U-prove technology overview (pdf)
Prof. Audun Jøsang, University Graduate College, University of Oslo
Authentication Assurance with Identity Management Models: There is a strong push towards implementing and deploying identity management solutions for open environments, e.g. in the form of OpenID, CardSpace or various implementations of the SAML standard. The level of authentication assurance that can be achieved depends on the technology used as well as on the level of trust between the involved parties. This talk discusses the factors that influence the authentication assurance level that can be provided with contemporary identity management models.
Presentation: Identity Management Models (pdf)
Inclusive Identity Mangament - Usability perspectives on IDM
Kristin S. Fuglerud, Norwegian Computing Center
Users with disabilities are continuously confronted with barriers to use everyday ICT-products and -services. The first barrier is often registration and authentication. Common authentication methods include passwords and PINs, tokens, bio¬metry, smart cards, and 3rd-party channels such as one-time codes from tokens or code generators. Studying these barriers provides insights that are relevant for all types of users.
By universal design (UD), all potential users with different skills, knowledge, age, gender, (dis)abilities and literacy, can be included. A central issue in universal design of ICTs is flexible multimodal user interfaces (UI) that can meet different users’ needs, abilities, situations, preferences and devices. Systems that can adapt to users needs and preferences are called for. However, adaptive, dynamic profiling systems introduce new privacy threats.
This lecture will sketch the problem area, and introduce the technique of Universal Design and its application to electronic services with Identity Management.
Presentation: Usablility Aspects of Identity Management (pdf)
ISO Identity Managament Standardization - insights from PrimeLife
Hans Hedbom, Karlstad University
ISO/IEC is currently developing standards within the identity management area. This session is aimed at discussing and presenting this effort. The session is not an official ISO/IEC session. However, the presenters represents the EU FP7 PrimeLife project which have a liaison towards ISO/IEC JTC 1/SC 27/WG 5 so views expressed might influence the comments made to the working group through this liaison.
10 of the submitted scientific articles were accepted into the conference and into the IFIP IDMAN 2010 proceedings book. Please find the presentations and abstracts below.
Patrik Bichsel and Jan Camenisch, IBM Research Switzerland: Mixing Identities Made Easy
Anonymous credential systems are a key ingredient for a secure and privacy protecting electronic world. In their full-fledged form, they offer a wide range of features and allow one to address the requirements of almost any authentication system. However, these many features result in a complex system that can be difficult to use. In this paper, we aim to make credential systems easier to employ by providing an architecture and high-level specifications for the different components, transactions and features of the identity mixer anonymous credential system. The specifications abstract away the cryptographic details but they are still sufficiently concrete to enable all functionalities. We demonstrate the use of our framework by applying it an e-cash scenario.
Presentation: Mixing Identities with Ease (pdf)
Haitham Al-sinani and Chris Mitchell, Royal Holloway, University of London: Using CardSpace as a Password Manager
In this paper we propose a scheme that allows Windows CardSpace to be used as a password manager, thereby both improving the usability and security of password use and potentially encouraging CardSpace adoption. Usernames and passwords are stored in personal cards, and these cards can be used to sign on transparently to corresponding websites. The scheme does not require any changes to login servers or to the CardSpace identity selector and, in particular, it does not require websites to support CardSpace. We describe how the scheme operates, and give details of a proof-of-concept prototype. Security and usability analyses are also provided.
Presentation: Using CardSpace as a Password Manager (pdf)
Klaus Stranacher and Mario Ivkovic, E-Government Innovation Center (EGIZ), Austria: Foreign Identities in the Austrian E-Government - An interoperable eID Solution
With the revision of the Austrian E-Government Act in the year 2008, the legal basis for a full integration of foreign persons in the Austrian e-government, has been created. Additionally, the E-Government Equivalence Decree will be published in spring 2010. This decree clarifies which foreign electronic identities are considered to be equivalent to Austrian identities and can be electronically registered within the Austrian identity register. Based on this legal framework a concept has been developed which allows non-Austrian citizens to log in to Austrian online administrative procedures using their foreign identity. A solution resting upon this concept has been developed and successfully tested. This solution will become operative when the E-Government Equivalence Decree comes into force.
Anssi Hoikkanen et al, European Commission / JRC: Understanding the Economics of Electronic Identity: Theoretical Approaches and Case Studies
This paper discusses the economics of electronic identity (eIdentity) from both theoretical and practical perspectives. Personal identity data are becoming increasingly important in online transactions, and they have never been monetised to the extent they are today. Consequently, there is a need for an improved understanding of the economic externalities resulting from the electronic use of identities in transactions. In this context, we distinguish four main theoretical approaches for understanding economics of identity: identity as a consumption good, identity as a capital asset, identity as a social good, and identity as a cost. We analyse each of these approaches in terms of their benefits to understanding economics of identity, their drawbacks, and the bearer of the cost of identity provision. After the theoretical part, we go on to discuss three case studies, BBS, eBay and IdenTrust, and apply an appropriate concept if economics of identity to analyse each business case. Finally, we conclude the paper by discussing the implications that each of the different concepts of economics of identity has for policymakers.
Presentation: Understanding the Economics of Electronic Identity (pdf)
John Borking, Borking Consultancy: Profitable Investments Mitigating Privacy Risks
Article 17 (1) of the Directive 95/46/EC (DPD) requires that the controller must implement appropriate technical and organizational measures to protect personal data. ICT offers solutions in the shape of privacy protection for users, consumers and citizens. The application of ICT to protect privacy has become widely known under the name Privacy-Enhancing Technologies (PET or PETs). This paper points out that a positive business case for the economic justification of investments in PETs is needed before a positive decision on the investment will be taken. From a business perspective an investment in PETs implies that the investment has to be measured in Euros saved as a result of reduced costs, or in additional revenues and profits from new activities that would not have occurred without the investment. In the risk and financial management literature a number of equations can be found measuring security risks and the return on investment on security investments, some of which apply to investments necessary to reduce privacy risks. In the paper will be highlighted equations as ROSI, ROIPI and Net Present Value (NPV) and subsequently applied on two case studies Ixquick, a meta search machine, and ViTTS (Dutch Victim Tracking and Tracing System)
Presentation: Economics of Privacy and Identities (pdf)
Bendik Mjaaland, Accenture Technology Consulting, Norway: The Plateau: Imitation Attack Resistance of Gait Biometrics
Biometric technology is rapidly evolving, and recently it has been shown that the human gait, or walk, can be used to establish the identity of individuals. Constituting a new branch within biometrics, gait biometrics needs to be extensively tested and analyzed to determine its level of fraud resistance. Previous results from the attack resistance testing of gait authentication systems show that imitation, or mimicking of gait is a venerable challenge. Although mimicking attacks are intuitive and easy to perform, improving ones mimicking skills seems to be very difficult. This paper presents an experiment where participants are extensively trained to become skilled gait mimickers, or imitators. Results show that our physiological characteristics tend to work against us when we try to change something as fundamental as the way we walk. Simple gait details can be adopted, but if the imitator changes several characteristics at once, the walk is likely to become uneven and mechanical. The participants showed few indications of learning, and the results of most attackers even worsened over time, showing that training did nothing to help them succeed. With extensive training an impostor's performance can change, but this change seems to meet a natural boundary, a limit. This paper introduces the plateau, a physiologically predetermined limit to performance, forcing imitators back whenever they attempt to improve further. The location of this plateau determines the outcome of an attack; for success it has to lie below the acceptance threshold corresponding to the Equal Error Rate (EER).
Bart van Delft, Radbound University and Martijn Oostdijk, Novay: A Security Analysis of OpenID
OpenID, a standard forWeb single sign on, has been gaining popularity both with Identity Providers, Relying Parties, and users. This paper collects the security issues in OpenID found by others, occasionally extended by the authors, and presents them in a uniform way. It attempts to combine the shattered knowledge into a clear overview. The aim of this paper is to raise awareness about security issues surrounding OpenID and similar standards and help shape opinions on what (not) to expect from OpenID when deployed in a not-so-friendly context.
Presentation: A Security Analysis of OpenID (pdf)
Jan Camenisch, Thomas Gross, Peter Hladky and Christian Hoertnagl, FP7 PrimeLife Project: Privacy-friendly Incentives and their Application to Wikipedia
Double-blind peer review is a powerful method to achieve high quality and thus trustworthiness of user-contributed content. Facilitating such reviews requires incentives as well as privacy protection for the reviewers. In this paper, we present the concept of privacy-friendly incentives and discuss the properties required from it. We then propose a concrete cryptographic realization based on ideas from anonymous e-cash and credential systems. Finally, we report on our software's integration into the MediaWiki software.
Jonathan Scudder and Audun Jøsang, University of Oslo: Personal federation control with the Identity Dashboard
Current federated identity management solutions for open networks do not solve the scalability problems for users. In some cases, federation might even increase the identity management complexity that users need to handle. Solutions should empower users to actively participate in making decisions about their identity, but this is far from the current situation. This paper proposes the Identity Dashboard as a user-centric control component, providing users with tools they need to effectively partake in managing their own identities.
Presentation: The Identity Dashboard (pdf)
Hidehito Gomi, Yahoo Research Japan: Policy Provisioning for Distributed Identity Management Systems
A policy provisioning framework is described for supporting the lifecycle management of identity information with its handling policies beyond security domains. A model for managing and sharing a capsule of identity information and its handling policies is presented. Based on the model, algorithms for policy integration and provisioning with identity information is also described. This framework enables the secure management and flexible utilization of identity information reflecting the intention of its system administrator from a viewpoint of security and privacy.