Skip to main content



Policies and Research in Identity Management

Mixing Identities with Ease

Anonymous credential systems are a key ingredient for a secure and privacy protecting electronic world. In their full-fledged form, they can realize a broad range of requirements of authentication systems. However, these many features result in a complex system that can be difficult to use. In this paper, we aim to make credential systems easier to employ by providing an architecture and high-level specifications for the different components, transactions and features of the identity mixer anonymous credential system. The specifications abstract away the cryptographic details but they are still sufficiently concrete to enable all features. We demonstrate the use of our framework by applying it to an e-cash scenario.
Patrik Bichsel, Jan Camenisch

Using CardSpace as a Password Manager

In this paper we propose a novel scheme that allows Windows CardSpace to be used as a password manager, thereby improving the usability and security of password use as well as potentially encouraging CardSpace adoption. Usernames and passwords are stored in personal cards, and these cards can be used to sign on transparently to corresponding websites. The scheme does not require any changes to login servers or to the CardSpace identity selector and, in particular, it does not require websites to support CardSpace. We describe how the scheme operates, and give details of a proof-of-concept prototype. Security and usability analyses are also provided.
Haitham S. Al-Sinani, Chris J. Mitchell

Foreign Identities in the Austrian E-Government

An Interoperable eID Solution
With the revision of the Austrian E-Government Act [8] in the year 2008, the legal basis for a full integration of foreign persons in the Austrian e-government, has been created. Additionally, the E-Government Equivalence Decree [1] has been published in June 2010. This decree clarifies which foreign electronic identities are considered to be equivalent to Austrian identities and can be electronically registered within the Austrian identity register. Based on this legal framework a concept has been developed which allows non-Austrian citizens to log in to Austrian online administrative procedures using their foreign identity. A solution resting upon this concept has been developed and successfully tested. This solution has become operative in July 2010.
Mario Ivkovic, Klaus Stranacher

Understanding the Economics of Electronic Identity: Theoretical Approaches and Case Studies

This paper discusses the economics of electronic identity (eIdentity) from both theoretical and practical perspectives. Personal identity data are becoming increasingly important in online transactions, and they have never been monetised to the extent they are today. Consequently, there is a need for an improved understanding of the economic externalities resulting from the electronic use of identities in transactions. In this context, we distinguish four main theoretical approaches for understanding economics of identity: identity as a consumption good, identity as a capital asset, identity as a social good, and identity as a cost. We analyse each of these approaches in terms of their benefits to understanding economics of identity, their drawbacks, and the bearer of the cost of identity provision. After the theoretical part, we go on to discuss three case studies, BBS, eBay and IdenTrust, and apply an appropriate concept of economics of identity to analyse each business case. Finally, we conclude the paper by discussing the implications that each of the different concepts of economics of identity has for policymakers.
Anssi Hoikkanen, Margherita Bacigalupo, Wainer Lusoli, Ioannis Maghiros, Stavri Nikolov

Profitable Investments Mitigating Privacy Risks

Risk control plays an important role at privacy protection. Article 17 (1) of the Directive 95/46/EC (DPD) requires that the controller must implement appropriate technical and organizational measures to protect personal data. ICT offers solutions in the shape of privacy protection for users, consumers and citizens. The application of ICT to protect privacy has become widely known under the name Privacy-Enhancing Technologies (PET or PETs). This chapter points out that a positive business case for the economic justification of investments in PETs is needed before a positive decision on the investment will be taken. The ROI and EPV calculation methods are useful tools for management assessing PET investments.
John Borking

A Security Analysis of OpenID

OpenID, a standard for Web single sign-on, has been gaining popularity both with Identity Providers, Relying Parties, and users. This paper collects the security issues in OpenID found by others, occasionally extended by the authors, and presents them in a uniform way. It attempts to combine the shattered knowledge into a clear overview. The aim of this paper is to raise awareness about security issues surrounding OpenID and similar standards and help shape opinions on what (not) to expect from OpenID when deployed in a not-so-friendly context.
Bart van Delft, Martijn Oostdijk

Personal Federation Control with the Identity Dashboard

Current federated identity management solutions for open networks do not solve the scalability problems for users. In some cases, federation might even increase the identity management complexity that users need to handle. Solutions should empower users to actively participate in making decisions about their identity, but this is far from the current situation. This paper proposes the Identity Dashboard as a user-centric control component, providing users with tools they need to effectively partake in managing their own identities.
Jonathan Scudder, Audun Jøsang

The Plateau: Imitation Attack Resistance of Gait Biometrics

Constituting a new branch within biometrics, gait biometrics needs to be extensively tested and analyzed to determine its level of fraud resistance. Previous results examining the attack resistance testing of gait authentication systems show that imitation, or mimicking of gait, is a venerable challenge.
This paper presents an experiment where participants are extensively trained to become skilled gait mimickers. Results show that our physiological characteristics tend to work against us when we try to change something as fundamental as the way we walk. Simple gait details can be adopted, but if the imitator changes several characteristics at once, the walk is likely to become uneven and mechanical. The participants showed few indications of learning, and the results of most attackers even worsened over time, showing that training did nothing to help them succeed.
With extensive training an impostor’s performance can change, but this change seems to meet a natural boundary, a limit. This paper introduces the plateau, a physiologically predetermined limit to performance, forcing imitators back whenever they attempt to improve further. The location of this plateau determines the outcome of an attack; for success it has to lie below the acceptance threshold corresponding to the Equal Error Rate (EER).
Bendik B. Mjaaland

Privacy-Friendly Incentives and Their Application to Wikipedia

Double-blind peer review is a powerful method to achieve high quality and thus trustworthiness of user-contributed content. Facilitating such reviews requires incentives as well as privacy protection for the reviewers. In this paper, we present the concept of privacy-friendly incentives and discuss the required properties. We then propose a concrete cryptographic realization based on ideas from anonymous e-cash and credential systems. Finally, we report on our software’s integration into the MediaWiki software.
Jan Camenisch, Thomas Groß, Peter Hladky, Christian Hoertnagl

Policy Provisioning for Distributed Identity Management Systems

A policy provisioning framework is described that supports the management of the lifecycle of identity information distributed beyond security domains. A model for creating data handling policies reflecting the intentions of its system administrator and the privacy preferences of the data owner is explained. Also, algorithms for systematically integrating data handling policies from system entities in different administrative domains are presented. This framework enables data handling policies to be properly deployed and enforced in a way that enhances security and privacy.
Hidehito Gomi


Weitere Informationen

Premium Partner