Identity provider deployment based on container technology

Marko Eremija; Nebojša Ilić; Miloš Cvetanović; Jelica Protić; Zaharije Radivojević

doi:10.5937/telfor1802097e

Mobile Personal Identity Provider Based on OpenID Connect

Trust, Privacy and Security in Digital Business - Lecture Notes in Computer Science ◽

10.1007/978-3-319-64483-7_2 ◽

2017 ◽

pp. 19-31 ◽

Cited By ~ 1

Author(s):

Luigi Lo Iacono ◽

Nils Gruschka ◽

Peter Nehren

Keyword(s):

Personal Identity ◽

Identity Provider

Download Full-text

2-clickAuth

International Journal of Mobile Computing and Multimedia Communications ◽

10.4018/jmcmc.2011040101 ◽

2011 ◽

Vol 3 (2) ◽

pp. 1-18

Author(s):

Anna Vapen ◽

Nahid Shahmehri

Keyword(s):

Web Sites ◽

Identity Management ◽

Ease Of Use ◽

Internet Users ◽

Short Period ◽

Web Camera ◽

Single Identity ◽

Federated Identity Management ◽

Federated Identity ◽

Identity Provider

Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

Download Full-text

The OLYMPUS Architecture—Oblivious Identity Management for Private User-Friendly Services

Sensors ◽

10.3390/s20030945 ◽

2020 ◽

Vol 20 (3) ◽

pp. 945 ◽

Cited By ~ 1

Author(s):

Rafael Torres Moreno ◽

Jorge Bernal Bernabe ◽

Jesús García Rodríguez ◽

Tore Kasper Frederiksen ◽

Michael Stausholm ◽

...

Keyword(s):

Identity Management ◽

Service Providers ◽

Single Point ◽

Building Blocks ◽

Privacy Preserving ◽

Privacy And Security ◽

Iot Devices ◽

Eu Project ◽

Cryptographic Techniques ◽

Identity Provider

Privacy enhancing technologies (PETs) allow to achieve user’s transactions unlinkability across different online Service Providers. However, current PETs fail to guarantee unlinkability against the Identity Provider (IdP), which becomes a single point of failure in terms of privacy and security, and therefore, might impersonate its users. To address this issue, OLYMPUS EU project establishes an interoperable framework of technologies for a distributed privacy-preserving identity management based on cryptographic techniques that can be applied both to online and offline scenarios. Namely, distributed cryptographic techniques based on threshold cryptography are used to split up the role of the Identity Provider (IdP) into several authorities so that a single entity is not able to impersonate or track its users. The architecture leverages PET technologies, such as distributed threshold-based signatures and privacy attribute-based credentials (p-ABC), so that the signed tokens and the ABC credentials are managed in a distributed way by several IdPs. This paper describes the Olympus architecture, including its associated requirements, the main building blocks and processes, as well as the associated use cases. In addition, the paper shows how the Olympus oblivious architecture can be used to achieve privacy-preserving M2M offline transactions between IoT devices.

Download Full-text

Portable Personal Identity Provider in Mobile Phones

2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications ◽

10.1109/trustcom.2013.89 ◽

2013 ◽

Cited By ~ 4

Author(s):

Md. Sadek Ferdous ◽

Ron Poet

Keyword(s):

Personal Identity ◽

Mobile Phones ◽

Identity Provider

Download Full-text

Extending OpenID Connect Towards Mission Critical Applications

Cybernetics and Information Technologies ◽

10.2478/cait-2018-0041 ◽

2018 ◽

Vol 18 (3) ◽

pp. 93-110 ◽

Cited By ~ 1

Author(s):

R. Deeptha ◽

Rajeswari Mukesh

Keyword(s):

Security Analysis ◽

Banking System ◽

Central Banking ◽

Security Requirements ◽

Impersonation Attack ◽

Banking Services ◽

Single Sign On ◽

Authentication Mechanism ◽

Mission Critical ◽

Identity Provider

Abstract Single Sign-On (SSO) decreases the complexity and eases the burden of managing many accounts with a single authentication mechanism. Mission critical application such as banking demands highly trusted identity provider to authenticate its users. The existing SSO protocol such as OpenID Connect protocol provides secure SSO but it is applicable only in the consumer-to-social-network scenarios. Owing to stringent security requirements, the SSO for banking service necessitates a highly trusted identity provider and a secured private channel for user access. The banking system depends on a dedicated central banking authority which controls the monetary policy and it must assume the role of the identity provider. This paper proposes an extension of OpenID Connect protocol that establishes a central identity provider for bank users, which facilitates the users to access different accounts using single login information. The proposed Enhanced OpenID Connect (EOIDC) modifies the authorization code flow of OpenID Connect to build a secure channel from a single trusted identity provider that supports multiple banking services. Moreover, the EOIDC tightens the security mechanism with the help of SAT to avoid impersonation attack using replay and redirect. The formal security analysis and validation demonstrate the strength of the EOIDC against possible attacks such as impersonation, eavesdropping, and a brute force login. The experimental results reveal that the proposed EOIDC system is efficient in providing secured SSO protocol for banking services.

Download Full-text

On Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security

Contemporary Challenges and Solutions for Mobile and Multimedia Technologies ◽

10.4018/978-1-4666-2163-3.ch006 ◽

2012 ◽

pp. 89-106

Author(s):

Florian Kohlar ◽

Jörg Schwenk ◽

Meiko Jensen ◽

Sebastian Gajek

Keyword(s):

Identity Management ◽

Transport Layer ◽

The Public ◽

Web Technologies ◽

Transport Layer Security ◽

Man In The Middle ◽

Same Origin Policy ◽

Security Guarantees ◽

Federated Identity ◽

Identity Provider

In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives. This work presents a third approach which is of further interest beyond IDM protocols, especially for mobile devices relying heavily on the security offered by web technologies. By binding the SAML assertion to cryptographically derived values of the TLS session that has been agreed upon between client and the service provider, this approach provides anonymity of the (mobile) browser while allowing Relying Party and Identity Provider to detect the presence of a man-in-the-middle attack.

Download Full-text

2-ClickAuth

Contemporary Challenges and Solutions for Mobile and Multimedia Technologies ◽

10.4018/978-1-4666-2163-3.ch005 ◽

2012 ◽

pp. 70-88

Author(s):

Anna Vapen ◽

Nahid Shahmehri

Keyword(s):

Web Sites ◽

Identity Management ◽

Ease Of Use ◽

Internet Users ◽

Web Camera ◽

Single Identity ◽

Federated Identity Management ◽

Federated Identity ◽

Secure Authentication ◽

Identity Provider

Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

Download Full-text